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1  Introduction 


Confidentiality  security  is  concerned  with  restricting  the  disclosure  of  information  in  sys¬ 
tems.  One  way  of  achieving  this  is  to  use  an  information  flow  policy  which  defines  the 
different  classes  of  information  (for  example,  classified,  secret,  etc.)  that  can  exist  in  the 
system  and  a  flow  relation  which  describes  how  information  may  flow  between  these  classes. 
System  entities  (users,  processes,  files,  etc.)  are  considered  to  be  the  sources  and  sinks  of 
information,  and  each  is  bound  to  a  security  class  from  the  flow  policy.  This  binding  is 
interpreted  as:  if  entity  A  is  bound  to  class  a  then  A  may  source  information  of  class  a 
or  higher  and  may  sink  information  of  class  a  or  lower.  A  system  is  considered  multilevel 
secure  if  all  flows  between  entities  maintain  the  flow  policy.  Note  that  there  are  special 
cases  where  certain  entities,  such  as  trusted  subjects,  are  allowed  violate  this  requirement 
in  a  controlled  manner. 

Entities  may  be  statically  or  dynamically  bound  to  their  security  classes.  A  statically 
bound  entity  has  a  fixed  security  class  that  cannot  change  during  its  lifetime.  The  class  of 
a  dynamically  bound  entity  may  change  to  accommodate  incoming  or  outgoing  data,  or  to 
allow  direct  upgrading  or  downgrading  by  some  authorized  entity.  In  the  case  of  dynamic 
binding,  a  policy  on  how  their  classes  may  change  is  normally  adopted.  For  example  a  high 
water  mark  policy[17]  only  allows  classes  to  rise.  With  this  approach,  class  changes  cannot 
result  in  a  violation  of  the  multilevel  security  requirement.  Some  models  permit  controlled 
violation  of  the  multilevel  security  requirement,  such  as  McLean ’s[14]  class  change  rules. 

In  this  paper  we  propose  two  changes  to  this  traditional  notion  of  secure  information 
flow.  Firstly,  each  entity  is  bound  to  a  group  or  set  of  security  classes  from  the  flow  policy. 
This  set  defines  the  classes  of  information  that  the  entity  is  allowed  sink  or  source.  Thus, 
an  entity  ‘bound’  to  set  {secret,  top-secret}  may  sink  and/or  source  secret  or  top-secret 
information.  Of  course,  all  flows  will  be  subject  to  the  constraint  that  they  not  violate 
the  flow  policy.  With  this  change,  we  discover  that  we  can  describe  a  variety  of  new 
confidentiality  policies,  in  particular  aggregation  policies.  Secondly,  we  propose  that  flow 
policies  need  not  always  be  based  on  a  transitive  flow  relation.  We  give  examples  of  useful 
non-transitive  flow  policies,  and  show  how  Chinese  wall  policies  such  as  those  in  (5,12,15] 
can  be  constructed  in  terms  of  a  reflexive  flow  policy  and  group  bindings  for  entities.  The 
advantage  to  our  approach  is  that  all  these  policies  can  be  built  within  the  framework  of 
the  same  security  model. 

Section  2  proposes  the  new  (abstract)  model  for  secure  information  flow.  Section  3 
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gives  a  refinement  of  the  group  confinement  model,  in  the  form  of  a  state  based  mandatory 
access  control  model.  This  implementation  oriented  model  is  not  unlike  traditional  mac 
models,  and  we  discuss  how  group  confinement  could  be  retrofitted  to  models  such  as  Bell 
and  LaPadula. 

Information  flow  policies  have  traditionally  been  taken  to  be  transitive[6],  however  in 
[10]  a  case  is  made  for  reflexive  flow  policies  that  may  contain  a  non-transitive  flow  relation. 
Section  4  of  this  paper  takes  reflexive  policies  one  step  further  by  defining  reflexive  lattices — 
a  reflexive  policy  with  lowest  upper  and  greatest  lower  bound  operators  that  are  useful  for 
calculating  the  security  class  of  aggregate  information.  We  propose  that  a  flow  policy  should 
form  a  reflexive  lattice  and  show  how  an  arbitrary  reflexive  relation  can  be  transformed  into 
a  reflexive  lattice  (which  in  turn  can  be  defined  in  terms  of  lattice  operations  facilitating  its 
implementation).  Section  5  shows  how  a  selection  of  Chinese  wall  policies  can  be  described 
in  terms  of  reflexive  flow  policies  and  group  confinements. 

A  number  of  interpretations  can  be  made  about  policies  that  are  described  as  reflexive 
lattices.  Common  interpretations  are:  flow  policies,  which  describe  the  allowable  flows 
between  security  classes;  integrity  policies,  which  define  the  clearances  necessary  to  affect 
the  integrity  of  information.  Section  6  proposes  a  new  interpretation  for  a  reflexive  lattice 
that  allows  it  to  describe  separation  of  duty  policies. 

The  appendix  contains  the  necessary  proofs  for  all  properties  proposed  in  the  paper. 
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2  Group  Confinement  Model 


As  with  interval  confinement  in  [10],  we  will  define  the  concept  of  group  confinement  in  as 
general  terms  as  possible.  If  desired,  the  model  can  be  subsequently  refined  along  with  the 
definition  of  information  flow.  For  example,  section  3  will  consider  a  refinement  to  a  state 
transition  model. 

Definition  1  The  group  confinement  model  ( GCFM )  is  defined  as 

GCFM  =  (ENTS,  L,  confine,  t>  ) 

where 

•  ENTS  defines  the  set  of  entities  of  interest  in  the  system.  An  entity  is  anything  which 
information  can  flow  into  and/or  out  of,  in  the  system.  Examples  are  objects,  files, 
and  processes.  If  desired,  even  parts  of  the  hardware  can  be  considered  as  entities, 
for  example,  a  terminal  (source  and  sink  of  information  to  the  peolpe  who  use  it),  a 
local  area  network,  etc. 

•  L  gives  the  information  flow  policy  as  a  distributive  lattice,  with  flow  relation  (partial 
order)  <  *,  least  upper  and  greatest  lower  bound  operators  V  and  A,  respectively. 
We  will  study  the  information  flow  policy  in  more  detail  in  section  4. 

•  >  is  an  information  flow  relation  between  entities.  The  relation  E  t>  F  implies  that 
information  can  flow  from  entity  E  to  entity  F  over  the  system  being  studied.  It  is 
generalized  to  €  C>  T ,  where  Z,T  C  ENTS,  to  mean  information  from  the  entities  in 
Z  can  flow  as  an  aggregate,  to  the  entities  in  J .  The  relation  >  can  be  thought  of 
as  an  abstraction  of  the  implementation  of  the  system  into  information  flows  between 
entities.  How  this  relation  is  determined  will  depend  on  how  the  system  is  modeled, 
and  the  interpretation  attached  to  the  notion  of  information  flow.  In  some  cases,  the 
flow  relation  might  not  reflect  all  the  flows  that  could  occur,  rather  it  represents  the 
flows  to  which  the  information  flow  policy  L  must  apply. 

•  Every  entity  E  £  ENTS  is  confined  to  a  set  confine(E)  (also  denoted  E),  of  security 
classes  from  aL 

Confine  :  ENTS  — *  Gclass-,  (Gclass  =  (V aL)  -  {}) 

ill 

If  L  is  a  lattice  then  aL  gives  its  set  of  components;  <  its  partial  ordering;  V  and  A  its  lowest  upper  and 
greatest  lower  bound  operators  respectively.  We  will  often  drop  the  L  from  the  operator  when  no  ambiguity 
can  arise.  Similar  abbreviations  will  be  made  for  the  other,  yet  to  be  defined,  policy  relations  and  operators. 


where  V  A  gives  the  powerset  of  the  set  A.  The  group  confinement  of  an  entity  E  is 
interpreted  as: 


-  E  is  permitted  to  source  information  to  any  class  s  iff  there  exists  an  a  £  E_  such 
that  a  <  s. 

-  E  is  permitted  to  sink  information  from  any  class  s  iff  there  exists  an  a  €  £  such 
that  s  <  a. 


Note  that  all  flows  are  subject  to  the  constraint  that  they  do  not  violate  the  flow  policy — 
the  multilevel  security  requirement  must  hold  for  confinement,  i.e., 

L 

information  flows  from  class  a  to  class  6  implies  a  <  b 


O 

Entities  in  GCFM  can  be  thought  of  as  bound  to  a  confinement  group  from  the  group 
policy  Lg  with  alphabet  aLg  =  Gclass.  From  the  interpretation  of  group  confinement, 
information  from  confinement  group  A  €  oiLg  is  information  that  could  flow  (sink)  to  any 
class  s  such  that  a  <  s,  where  a  G  A,  or  could  originate  (source)  from  any  class  s  such 
that  s  <  a  and  a  G  A.  This  results  in  the  following  definition  for  the  group  flow  relation 
on  Lg. 

Definition  2  Information  at  a  confinement  group  A  may  flow  to  confinement  group  B  if 
A&  B  (A,  B  G  aLg),  where 

A&  B  =  3o  G  A, be  B»a  <  b 

Note  that  defined  over  Lg  does  not  form  a  partial  order  because  it  is  neither  antisym¬ 
metric  nor  transitive.  O 


Example  1  A  system  enforces  a  military  style  policy  with  classes  u  (unclassified),  c  (clas¬ 
sified),  s  (secret),  and  t  (top-secret).  Entities  A,  B  and  C  are  confined  to  groups  {u,c}, 
{c,s}  and  {s,t},  respectively.  Information  is  permitted  to  flow  from  entity  A  to  entity 
C  since,  entity  A  may  source  classified  information  and  entity  C  may  sink  classified  infor¬ 
mation.  Information  may  not  flow  from  C  to  A  however,  since  the  lowest  classification  of 
information  that  C  can  generate  is  secret,  which  cannot  be  sunk  by  A.  Entity  A  is  allowed 
source  classified  information  and  entity  C  allowed  sink  it  60  a  flow  from  A  to  £  is  permitted. 


Note  that  Entity  B  is  also  allowed  source  classified  information,  and  entity  A  allowed  sink 
this  information,  therefore  a  flow  from  B  to  A  is  allowed. 

At  first  this  may  appear  incorrect:  what  is  preventing  B  sourcing  secret  information  as 
classified  and  giving  it  to  A1  However,  we  view  entities  as  entirely  passsive,  they  generate 
information  and  the  class  of  the  information  sourced  at  a  particular  instance  will  depend 
on  the  confinement  of  the  entity,  in  addition  to  the  destination  of  the  information.  Thus 
when  B  generates  information  destined  for  entity  A  is  considerd  to  be  classified.  Similarly, 
when  C  generates  information  destined  for  B  is  is  secret.  Note  that  the  system  flow  relation 
(  t>  )  is  not  necessarily  transitive,  and  thus  C  >  B  and  B  >  A  need  not  imply  C  t>  A.  Of 
course  if  it  is  transitive,  then  the  scenario  above  is  not  secure  since  C  t>  A  is  not  secure. 

Thus,  suppose  entities  A  and  B  are  people,  and  we  have  an  object  D  in  the  system 
confined  to  {s}  that  is  used  to  hold  a  secret.  While  entity  B  is  permitted  to  transmit 
information  to  entity  A,  and  is  also  allowed  to  read  the  secret  in  D,  the  entity  ( B )  may  not, 
by  using  the  system,  give  the  secret  to  entity  A.  For  example,  if  B  uses  the  mail  utility  to 
send  a  copy  of  D  to  A,  then  there  is,  in  the  system  a  flow  D  >  A,  which  is  invalid.  The 
entity  B  could  always  read  the  secret,  and  then  re-type  it  and  send  it  to  user  A  as  classified 
information.  However  in  this  case,  the  security  breach  is  due  to  a  flow  outside  the  system 
(the  ‘human’  copy),  and  therefore  is  not  of  interest  for  security  in  the  system — the  person 
could  always  use  the  telephone.  If  this  type  of  flow  is  considered  a  threat,  information  flow 
through  people  can  always  be  considered  transitive  so  that  D  t>  B  A  B  >  A  implies  D  >  A 
always  holds.  Again,  this  reflects  how  the  >  relation  represents  the  flows  of  interest  over 
the  system  to  which  the  information  flow  policy  is  to  be  applied.  A 

Another  useful  relation  that  can  be  defined  over  confinement  groups  is  the  bound  order 
relation  <  .  This  relation  determins  if  one  confinement  group  forms  a  bound  on  another. 
We  say  that  B  is  a  bound  on  A  iff  every  group  that  can  flow  to  A  can  flow  to  B,  and  every 
group  that  B  can  flow  to  then  A  can  also  flow  to.  Formally, 

Definition  3  Given  confinement  groups  A,B  6  <*Lg,  define 

LC 

A  <  B  =  VXeaLG»X~A=i>X~BA 
VX  €  aLff  •  B  X  =>  A  ^  X 


This  is  equivalent  to, 


Lc 

A  <  B  Va6A»3beB*a<bA 
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V6G.fi*  3a  eA*a  <  6 


The  ordering  <  forms  a  partial  order  over  1$ .  O 

If  information  at  confinement  group  A  is  combined  with  information  at  group  fi  then 
the  confinement  group  of  the  resulting  information  should  form  an  upper  bound  on  both  A 
and  fi,  i.e,  for  every  group  that  can  flow  (~*)  into  A  or  fi  then  it  can  also  flow  into  their 
upper  bound;  simlarly,  any  group  that  the  upper  bound  can  flow  into,  then  A  and  fi  can 
flow  into. 

Definition  4  Define  the  upper  aggregate  of  confinement  groups  A  and  fi  from  group  policy 
Lg  to  be 

A  ®  fi  =  {a  V  6|a  G  A  A  6  €  fi} 

Similarly,  a  lower  aggregate  can  be  defined  as 

Lq  l 

A  ®  fi  =  {a  A  6|a  G  A  A  6  G  fi} 

The  upper  aggregate  of  A  and  fi  forms  an  upper  bound  on  A  and  fi,  and  their  lower 
aggregate  forms  a  lower  bound.  They  are  also  distributive.  <0 

Example  2  An  information  flow  policy  for  coordinates  is  defined  in  figure  1.  A  database 

coordinate 


L 


Figure  1:  Coordinates  Flow  Policy 

of  ICBMs  is  maintained  which  includes  the  longitude  (group  classification  {long}),  and 
latitude  (group  classification  {lat})  of  the  location  of  each  rocket.  A  system  operator  who 
is  allowed  to  access  either  longitude  or  latitude  information,  but  not  both,  is  confined  to 
group  {long,  lat}.  Our  definition  of  multilevel  security  ensures  that  this  requirement  is  met, 
since  an  aggregate  flow  of  longitude  and  latitude  has  confinement  grouping  {coordinate}, 
and  the  confinement  of  the  operator  excludes  access  to  information  in  this  group.  A 
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Unfortunately,  while  the  upper  aggregate  is  an  upper  bound  operator,  it  does  not  give  us 
a  lowest  upper  bound.  The  following  example  will  illustrate  this,  and  also  that  the  structure 
defined  by  Lg  does  not  describe  a  lattice. 

Example  3  Consider  a  group  confinement  policy  constructed  from  the  powerset  lattice  of 
the  set  {a,b,c}.  This  policy  will  have  components  {{c}},  {{a},{b}},  etc.  Some  upper 
aggregates  are: 

{{a},{b}}©{{a},{b}}  =  {{a},{b},{ab}}  (1) 

{{a},{b}}®{{c},{b}}  =  {{ac},{b},{ab},{bc}}  (2) 

{{a}, {be}}  ©  {{c},{ab}}  =  {{ac}, {be}, {ab}, {abc}}  (3) 

Equation  (1),  illustrates  that  the  upper  aggregate  of  a  group  with  itself  may  not  result  with 
the  same  group.  Consider  entities  E  and  F  bound  to  this  group  {{a},{b}}.  The  upper 
aggregate  must  consider  the  case  where  E  can  source  information  of  class  a  and  entity  F 
can  source  information  of  class  {b};  collectively  they  can  source  information  of  class  {ab} 
which  is  not  in  their  original  group  confinements,  but  must  be  in  their  aggregate. 

In  equation  (3),  the  operands  A  and  B  of  the  upper  aggregate  do  not  have  a  unique 
lowest  upper  bound.  Two  upper  bounds  of  these  components  are: 

{{ab}, {be}}  {ac},  {abc}} 

which  are  disjoint  to  one  another  and  do  not  have  a  lower  bound  that  forms  an  upper  bound 
on  A  and  B.  Thus,  Lg  does  not  form  a  lattice.  A 

While  Lg  does  not  form  a  lattice,  we  know  that  it  can  be  transformed  into  one  using 
Denning’s  transformation  (see  section  4.1.1).  However  this  transformation  is  unnecessary2 
as  the  aggregation  operators  have  properties  that  can  justify  their  use  later  in  the  paper. 
Given  confinement  groups  A  and  B,  then 

WD^aLg»(A  <  DAB  <  D)  =>  A  ©  B  D 

i.e.,  the  upper  aggregate  of  A  and  B  may  flow  (~>)  to  any  group  that  is  a  bound  on  A  and 
B.  A  more  general  property  is, 

VD  £aLg»{A  <  D  AB  <  D)=>3XCA@B%A  <  X  AB  <  X  AX  <  D 

3 and  undesirable,  since  performing  such  a  transformation  would  destroy  the  structure  of  Lg  that  makes 
it  easy  to  implementusing  bitwise  operations  on  sets. 
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This  equation  can  be  thought  of  as  reflecting  the  fact  that  while  a  pair  of  groups  may  not 
have  a  unique  lowest  upper  bound,  the  aggregate  will  contain  all  candidates:  for  any  upper 
bound  D  on  A  and  B,  a  subset  of  the  aggregate  of  A  and  B  will  form  a  lower  bound  on  D. 
The  lower  aggregate  operator  has  similar  properties:  for  A,B  £  aLg 

VD£aLg*{D  <  A  AD  <  B)=>3XCA®B»X  <  A  AX  <  B  AD  <  X 

Thus,  while  A  g>  B  does  not  give  a  greatest  lower  bound,  {A  and  B  may  not  even  have 
a  unique  greatest  lower  bound),  any  lower  bound  of  A  and  B  will  be  dominated  by  some 
lower  bound  of  A  and  B  that  is  a  subset  of  A  ®  B. 


2.1  confinement  Group  Equivalence 

There  is  a  degree  of  redundancy  in  confinement  groups.  For  example,  the  confinement 
groups  {classified,  top-secret}  and  {classified,  secret, top-secret}  from  the  mil¬ 
itary  policy  have  the  same  meaning — information  at  any  class  may  flow  to  these  groups, 
while  information  at  classified  or  higher  may  flow  out. 

Definition  5  Given  a  flow  policy  I,  then  for  security  classes  a,b,x  £  aL,  (a,b  covers  x)  if 
a  forms  a  lower  bound  on  x  and  6  forms  an  upper  bound  on  x,  i.e., 

L  L 

a,  6  covers  x  =  a<xAx<b 

Extending  this  definition  to  a  confinement  group  X  covering  a  security  class  x  gives 

X  covers  x  =  3a,  b  €  X  •  a,  b  covers  x 


O 


Definition  6  Confinement  groups  A  and  B  from  group  policy  Lg  are  considered  equal  if 
Lc 

A  —  B,  where 

AL=  B  =  Va  £  A  —  B  •  B  covers  aA 


Vb  £  B  —  A  •  A  covers  b 


O 


It  can  be  shown  that  =  forms  an  equivalence  relation  over  Lg,  and  that  the  following 
laws  hold:  for  A,B,X  G  aLg  and  if  A  =  X  holds,  then 

A  B  =>  X  ^  B  All  X  =  A 

A®B  =  X  ®B  ADX  =  A 

A®  B  =  X ® B 
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Since  union  and  intersection  over  an  equivalence  class  of  confinement  groups  is  closed,  we 
can  define  the  smallest  and  largest  representitive  classes  of  the  equivalence  class  that  group 
A  is  in,  as 


\A]  =  U{A-|*  =  A} 

LAJ  =  n{x\x  =  a) 

In  the  examples  throughout  this  paper,  a  confinement  group  A  will  normally  be  represented 
by  the  smallest  component  of  its  equivalence  class,  [.AJ.  The  normal  set  operators  (union 
intersection  etc.)  can  be  defined  over  these  groups  as:  for  groups  A  and  B ,  and  class  a  6  A, 

AUCB  =  AUB  a  6c  A  =  a  €  Ml 

A  nc  B  =  \A]  U  [5]  ACeB  =  \A]  £  \B] 

A-CB  =  \A]-\B] 

To  reduce  the  number  of  different  operators,  we  will  overload  the  normal  set  operators  by 
dropping  the  c  subscript  in  the  group  operators  defined  above. 


2.2  Information  Flow 

The  simple  test[10]  E  >  F  =>  £  <  £  (E,F  6  ENTS)  is  not  a  sufficient  condition 
for  multilevel  security.  The  test  does  not  consider  the  possibility  of  information  from  a 
number  of  entities  flowing  collectively  into  another  entity.  Since  the  aggregate  operator 
for  confinement  groups  does  not  give  an  upper  bound,  the  individual  flows  may  be  valid 
(the  confinement  group  of  the  destination  entity  dominates  each  individual  source  entity’s 
confinement  group),  but  the  combined  flow  (aggregate  of  the  confinement  groups)  may  be 
invalid.  Recall  the  security  requirement — information  at  confinement  group  A  may  flow  to 
confinement  group  B  iff  A  B;  source  information  may  have  originated  from  a  number 
of  entities,  and  thus  its  confinement  grouping  is  given  by  the  upper  aggregate  of  their 
confinement  groups,  and  this  information  must  be  able  to  flow  to  a  confinement  group  that 
is  the  lower  aggregate  of  confinement  groups  of  the  destination  entities.  Thus,  a  system 
with  group  confinements  is  multilevel  secure  iff 


where, 


V£,£C  ENTS*£ 

U  =  ©  {£l£  6  £)  ®  {E\F  €  ?} 


(4) 
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P 


The  group  confinement  model  is  not  driven  by  a  special  aggregation  policy.  Rather, 
the  information  flow  policy,  in  addition  to  defining  the  permitted  flows  in  the  system, 
also,  inherently  defines  (possibly  disjoint)  classes  and  their  aggregates  (upper  bounds). 
Group  confinement  allows  one  to  distinguish  the  separate  classes  and  their  aggregates  when 
binding. 

Example  4  Continuing  with  example  2,  the  officer  (entity  0)  has  confinement 

Q.  =  {lat,long} 

and  files  A  and  B  confinement, 

A  =  {lat}  B_  -  {long} 

A  system  with  flows  A  >  O  is  secure  since  A  0.  However,  a  system  with  flows 
{A,B}  t>  0  is  not  secure  since  A  ®  B_  =  {coord},  which  cannot  flow  to  {lat, long}. 
A 

Example  5  Entities  E,F  and  X  have  confinements 

E={  al,a2}  £={  b}  A>{xl,x2} 

drawn  from  the  flow  policy  described  in  figure  2.  A  system  with  flows  {E,X}  >  {F}  and 
{X}  t>  {£}  is  secure  since  X  sources  class  xl  information  to  E  (X  >  E)  and  E  and  X 
sources  a2  V  x2  =  b  information  to  F.  A  system  with  flows  {F,X}  >  {F,F}  is  not  secure 
since 

E  ®  X  =  {al,c,d,b}  7^  {x3,a2}  =  E  ®  F 

This  second  scenario  might  correspond  to  a  system  where  E  receives  information  from  X 
and  then  forwards  that  information  with  some  of  its  own  to  F.  The  first  scenario  is  the 
case  where  F  receives  independent  information  from  E  to  X ,  and  the  information  sourced 
by  E  is  not  the  information  it  had  sunk  from  X.  This  example  shows  the  importance  of 

representing  (using  >  )  the  nature  of  flows  in  the  system  correctly.  A 

Note  that  this  security  requirement  is  not  too  strong,  despite  the  fact  that  the  aggre¬ 
gation  operators,  while  providing  upper  and  lower  bounds,  do  not  give  lowest  upper  or 
greatest  lower  bounds:  recall  the  properties  for  aggregation  (A,B  €  oLq) 

VD  •  (A  <  D  A  B  <  D)  =>  A  @  B  ^  D 

'iD  •  ( D  <  A  A  D  <  B)  =>  D  A  ®  B 
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These  imply  that  if  there  exists  any  upper  bound  D  on  the  confinements  of  the  entities  of 
£ ,  that  is  also  a  lower  bound  on  the  confinements  of  the  entities  in  T,  then  L® 

holds.  If  such  a  bound  does  not  exist  the  flow  is  not  secure  and  £j$  Zj®  does  not  hold. 

Group  confinement  is  a  generalization  of  interval  confinement  [10].  Interval  confinement 
is  the  case  where  each  entity’s  group  confinement  forms  an  interval  on  the  flow  policy. 


2.3  Group  and  Interval  Confinement 

In  [10]  entities  are  confined  to  an  interval  [o,  6]  from  the  flow  policy  such  that  a  <  b.  In  this 
section  we  will  show  that  the  group  confinement  model  is  a  generalization  of  the  interval 
confinement  model  from  [10]. 

Consider  confinement  groups  of  Lq  that  can  be  described  as  intervals  of  R ,  i.e.,  for 
X  €  oiLff,  then  X  can  be  described  as  an  interval  if 

3a,6  €  X  •  Vx  €  X  #  a  <  xAx  <  b 

If  such  an  o,  b  exist  it  follows  that  a  <  b  and  {a,  6}  =  X.  Now  define  an  interval  policy  Lj 
whose  components  represent  groups  that  can  be  described  as  intervals  of  R,  i.e., 

aLj  =  {{a,6}|o  <  6  A  a,  6  Get#} 
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If  A  =  {a,  6}  is  an  element  of  aLj  with  a  <  b,  then  let  AL  denote  the  lower  bound  a  and 
Ah  denote  the  upper  bound  b,  on  the  interval  described  by  A. 

Now  define  for  this  policy  Lj  flow  and  aggregate  operators  based  on  those  for  Lq  (i.e., 
definitions  2  and  4).  This  gives  for  A,B  €  aLj, 

O  3a  £  A,b  £  B  •  a  &  b 
■o  Al  &  Bh 
—  {Ai  U  Bl,  Ah  U  Bh} 

=  {Al  0  BL,  Ah  D  Bh} 

We  can  show  that  Lj  forms  a  lattice  with  an  ordering  relation  defined  as  ( A,B  £  ctLx) 

Li  R  R 

A  <  B  o  Al  <  BlAAh  <  B„ 

Lj  Lj 

Thus,  A  ©  B  gives  a  lowest  upper  bound  and  A  ®  B  a  greatest  lower  bound,  on  A 
and  B.  Therefore,  in  a  system  where  all  group  confinements  can  be  described  as  intervals 
(components  of  Lx),  the  security  requirement  given  above  (equation  (1))  can  be  simplified 
to 

VE,F£ENTS*E  >  F  =t>  E&  F  (5) 

In  [10]  entities  are  bound  to  intervals  identical  to  those  in  Lj,  and  the  security  requirement 
is 

V£,  F  €  ENTS  •  E  >  F  =>  E^S  F^ 

which  is  equivalent  to  the  requirement  (2)  above,  given  the  definition  of-v*  on  Lx-  Therefore, 
interval  confinement  is  a  special  case  of  group  confinement  where  the  groups  can  be  described 
as  intervals. 


A& B 


Lj 

A®  B 
Lj 

A  ®  B 
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3  A  State  Machine  Model 

The  group  confinement  model  can  be  refined  to  a  state  machine  model.  In  this  section  we 
will  give  one  possible  refinement,  outlining  how  a  restricted  notion  of  group  confinement 
can  be  implemented  in  a  State  based  Mandatory  access  control  Model  (SMM). 

The  system  model  is  represented  by:  an  information  flow  policy  L  which  forms  a  dis¬ 
tributive  lattice;  a  fixed  set  of  system  entities  ENTS( subjects  and  objects);  a  set  of  system 
states  5;  an  initial  state  so,  and  a  state  transition  function  T. 

The  system  state  in  the  mac  model  describes  the  current  accesses  between  subjects  and 
objects  and  their  current  group  confinements.  For  simplicity  we  choose  to  abstract  the 
information  about  a  system  state  to  the  following 

•  a  function  confine(s,E)  which  returns  the  group  confinement  of  entity  E  E  ENTS  at 
state  s.  This  can  also  be  written  as  s.E_. 

•  a  transitive  and  reflexive  relation  A  >  B  which  reflects  the  potential  flows  that  could 
occur  during  state  s  due  to  the  system  accesses  defined  at  state  s. 

The  state  transition  function  T(op,s)  returns  a  state  s'  which  reflects  the  effect  of  applying 
some  access  change  operation  (op)  at  state  s. 

We  will  need  to  make  a  number  of  restrictions  on  this  state  model  for  our  refinement 
to  be  correct.  These  will  simplify  the  presentation  of  the  model  and  also  make  it  easy  to 
implement  in  practice.  Section  3.5  will  consider  the  implications  of  these  restrictions,  and 
how  they  might  me  handeled  in  more  general  refinements  of  the  GCFM.  These  restrictions 
are 

•  The  relation  t>  is  transitive  and  reflexive  at  any  given  state,  and  also  transitive  in 

3  3* 

the  sense  that  if  A  >  B  at  state  s,  and  B  >  C  at  a  later  state  s',  then  there  is  a  flow 
from  A  to  C  over  the  history  of  the  system  (see  definition  7  for  a  formal  definition  of 
this). 

•  The  confinement  group  of  an  entity  contains  an  element  that  forms  a  lower  bound  on 
every  component  of  its  confinement,  i.e.,  for  E  E  ENTS  then  V(£)  holds  where,  for 
confinement  group  A, 


V(4)  =  31  E  A  •  Va  E  A  •  I  <  a 
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This  component  is  denoted  by  -L/ — the  lowest  bound  on  confinement  group  A  (note 
that  it  exists  and  is  unique  since  the  original  policy  L  forms  a  lattice). 


We  will  now  give  an  informal  development  of  security  for  the  SMM.  Section  3.5  proves 
that  the  SMM  is  a  refinement  of  GCFM. 

If  an  entity  has  a  group  confinement  A  at  state  s  then  the  information  held  by  that 
entity  can  be  thought  of  as  having  some  classification  a  €  A.  If  there  is  a  potential  for  a 
flow  E  t>  F  during  this  state  then  this  flow  is  valid  so  long  as  every  possible  class  that  can 
be  sunk  by  F  could  have  originated  from  E,  i.e., 

V/€s.£«3eGs.J>e  <  /  (6) 

This  is  in  a  sense  like  a  high  water  mark.  An  entity  confined  to  {classified, topsecret} 
must  change  its  confinement  to  {secret, topsecret},  if  a  read  from  a  secret  file  is  to  be 
secure  (preventing  the  entity  forwarding  the  information  as  classified).  The  confinement 
of  each  entity  must  adhere  to  the  restriction  for  group  confinement,  i.e.,  it  must  contain  a 
lowest  bound  on  all  its  components.  Thus  a  state  s  is  secure  only  if 

V£e  ENTS'V(s-E) 

This,  along  with  equation  (6)  gives  the  condition  for  a  secure  state:  state  s  is  secure  iff 

(V£,  F  €  ENTS  *E  t>  F  =>  V/  e  s.F •  Xs.e  <  f)  A  V£  G  ENTS  •  V(*-£) 

(note  that  s.  ±,,e  is  dominated  by  every  e  of  s.£,  and  hence  the  simplification  of  (6).) 

The  confinement  group  of  an  entity  may  change  as  the  system  progresses  so  long  as 
the  changes  do  not  result  in  a  violation  of  the  multilevel  security  requirement.  In  making  a 
transition  from  state  s  to  state  s',  an  entity  should  not  be  allowed  source  or  sink  information 
at  state  s'  that  it  could  not  source  or  sink  at  state  s.  Thus  if 

{x  e  aL\3y  €  s.£  A  y  <  x } 

gives  the  security  classes  from  which  entity  E  may  source  information  at  state  5,  then  at 
state  s' 

Vi  €  s'.E.  •  •  y  <  x  (7) 

must  hold.  Similarly  for  sinks, 

Vi  €  «'.£•  3y  €  s.£«  x  <  y  (8) 
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Combining  (7)  and  (8)  above  gives  gives  the  requirement  for  a  secure  transition:  for  all 
entities  E  €  ENTS 

Vz  €  <*'.£•  s.£  covers  x  (9) 

which  is  equivalent  to  s'.E  C  s.E,  where  C  describes  subset  over  the  largest  components  of 
its  operands  equivalence  classes  (see  section  2.1).  The  state  transition  function  is  secure  if 
for  each  state  s  and  operation  op,  then  the  transition  to  T(op,s)  is  secure. 

The  basic  security  theorem  may  now  be  stated. 

Theorem  1  A  state  based  mac  system,  as  described  above,  is  secure  iff 

•  so  is  secure; 

•  every  state  reachable  from  state  so  is  secure,  and 

•  transition  function  T  is  secure. 

PROOF  Covered  in  section  3.5  □ 

Example  6  A  telephone  directory  holds  the  names  and  numbers  of  individuals  from  the 
accounts,  personnel,  and  sales  departments  of  a  company.  Each  entry  in  the  directory  is 
bound  to  a  single  class  from  the  set  {acc.pers  .sale},  identifying  the  department  that  each 
individual  belongs  to.  Each  employee  allowed  access  to  the  directory  may  obtain  numbers 
from  at  most  two  departments.  Thus  we  define  an  information  flow  policy  for  the  telephone 
directory  as  the  powerset  lattice  2^*cc,P*rs’BalBl.  Each  employee  allowed  access  to  the 
directory  is  bound  to  the  confinement  group  {{}, {acc.pers}, {acc, sale}, {pars, sale}} 
(note  the  inclusion  of  {}  to  ensure  that  the  confinement  has  a  lowest  bound). 

Consider  a  system  with  telephone  book  entries  labeled  A,P,  and  5,  with  bindings 

A  =  {acc}  P  =  {pers}  £  =  {sale} 

and  an  employee  with  an  initial  binding  at  state  So  defined  in  table  1.  This  table  describes  a 
possible  trace  of  the  system.  At  state  si  employee  E  accesses  the  directory  for  an  accounts 
number.  So  that  this  access  may  be  secure  (i.e.,  a  secure  state),  the  confinement  of  E 
must  change  to  s\.£_  reflecting  the  fact  that  from  this  state,  E  may  subsequently  access 
information  either  of  class  pers  or  of  class  sale,  but  not  both.  Observe  that  the  transition 
from  so  to  sj  is  secure  since  the  binding  of  E  at  state  so  covers  its  binding  at  state  sj .  A 
similar  (secure)  change  in  the  bindings  of  E  is  required  for  the  transition  to  state  s2  to  be 
secure.  For  all  subsequent  states  (after  a2)  E  may  access  personnel  and  accounts  numbers 
but  may  not  access  sales  numbers.  A 
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state  Si 

Accesses 

Confinement  (si.E) 

so 

None 

{{}, {acc.pers},  {acc .sale},  {pers .sale}} 

S\ 

A  >  E 

{{acc},  {acc , pers},  {acc .sale}} 

s2 

p  £  E 

{{acc.pers}} 

Table  1:  A  secure  access  sequence 


The  above  example  shows  how  a  quantity  based  aggregation  policy  can  be  described 
in  terms  of  group  confinement.  We  have  not  considered  the  possible  problem  of  inference, 
where  an  employee  might  know  enough  accounts  and  personnel  numbers  to  deduce  some¬ 
thing  about  sales  telephone  numbers.  Such  flows  might  be  analyzed  using  information 
theoretic  techniques,  with  the  (inferred)  flows  modeled  as  part  of  the  1>  relation,  and  thus 
would  not  be  of  concern  to  the  group  confinement  model  at  this  level  of  detail. 

3.1  Formal  Basis  for  the  State  Transition  Model 

We  have  given  an  informal  derivation  of  a  state  based  version  of  the  group  confinement 
model.  We  will  now  prove  that  it  is,  in  fact,  a  refinement  of  the  GCFM.  To  do  this  we 
will  set  up  an  abstraction  relation  between  the  components  of  GCFM  and  SMM  (state 
mac  model).  We  will  then  prove  that  the  definition  of  security  in  SMM  implies  security 
in  GCFM.  This  proof  will  provide  the  formal  basis  for  the  basic  security  theorem  proposed 
earlier. 

The  SMM  and  GCFM  share  the  same  set  of  entities.  In  the  SMM,  the  initial  confinement 
of  an  entity  corresponds  to  the  confinement  assigned  to  it  in  the  GCFM,  i.e.,  confine(E)  = 
so.confine(E).  Thus  an  entity  confined  to  {secret .top-secret}  in  the  GCFM  will  have 
this  group  as  initial  confinement.  The  fact  that  its  confinement  will  change  as  the  states 
progress  is  an  implementation  issue.  We  will  assume  that  there  are  no  flows  defined  at  the 
initial  state.  This  will  ensure  that  it  is  secure  for  the  initial  confinement. 

In  the  GCFM,  the  relation  >  represents  the  flows  that  can  occur  over  every  possible 
history  of  the  system.  In  the  state  based  model,  the  relation  >  describes  the  flows  that 
could  occur  due  to  accesses  at  state  s.  Information  flow  in  the  SMM  is  thought  of  as 

f  $f 

transitive  in  the  sense  that  if  there  is  a  flow  E  >  F  at  state  s,  and  a  flow  F  >  G  at  a  later 
state  s'  then  over  the  history  of  the  system,  there  is  a  flow  from  E  to  G.  Thus  we  define 
the  flows  that  could  have  occured  over  a  system  as: 
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Definition  7  If  £„  denotes  a  sequence  of  transitions,  starting  from  the  initial  state  £0> 

and  finishing  at  state  sn  then  the  flows  that  can  occur  over  this  history  is  described  by  the 
£ 

relation  >  ,  where  for  E,F  €  ENTS , 

3G  €  ENTS  •  E  >'  GhG>F  if  n  >  0 
E  >  F  otherwise 

The  behaviour  of  a  system  can  be  characterised  by  £ — the  set  of  all  possible  transition 
sequences.  All  possible  flows  that  could  occur  over  the  system  are  defined  as  ( E ,  F  £  ENTS , 
£,F£  ENTS), 

E>F  =  3£n  •  E  >  F 

£>F  =  3  Zn»VE  e£,FeF»E*g  F 

Observe  from  the  last  equation  that  an  aggregate  flow  is  not  created  if  the  flows  occur  from 

different  histories.  In  our  refinement  >  can  be  thought  of  as  the  abstraction  of  the  flows 

£ 

over  the  system,  i.e.,  the  relation  C>  .  O 

To  prove  that  the  SMM  is  a  correct  refinement  of  the  abstract  GCFM  we  must  prove 
that  any  system  secure  by  the  SMM  is  secure  by  the  abstract  GCFM.  A  system  is  secure 
by  the  GCFM  if 

V£,FC  ENTS*£  >  F  =>  £# 

where, 

=  ©  {E\E  ££}  £g  =  ®  {F\F  6  F) 

A  system  is  secure  by  the  SMM  if  every  possible  £„  is  secure  (i.e.,  the  basic  security  theorem 
holds).  Transition  sequence  En  is  secure  if  every  state  it  visits  is  secure  and  every  state 
transition  it  makes  is  secure.  Thus,  if 

VS,?  C  ENTS  •  £  >  F  =>  so-£®  sn.F^ 

holds  for  a  secure  SMM  system,  then  it  is  also  secure  by  the  GCFM  (so-£®  is  the  upper 
aggregates  on  the  initial  confinements  of  entities  in  £  and  similarly  so.Fq  for  lower  ag¬ 
gregates).  This  is  proven  by  theorem  2  in  the  appendix.  Thus  SMM  is  a  refinement  of 
SMM — every  secure  SMM  system  is  a  secure  GCFM  system. 
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Pre-condition 

VEe  ENTS • 

®  {s.2CJ*  t>  E  s.£}  n  s.£ 

Post-condition 

V£e  ENTS* 

s'.£  =®  {a.2L\X  >  E } 
V£l,.E2e  ENTS • 

El  >  E2  El  >  E2 

Table  2:  Transition  function  Req(op,  a ) 


3.2  Precision  of  the  State  Machine  Model 

We  must  address  the  precision  of  the  security  model  SMM:  is  it  possible  for  a  system  that 
is  not  secure  by  SMM  to  be  secure  by  GCFM?  Clearly  a  machine  modelled  by  SMM  that 
sets  all  entity  confinements  to  singleton  sets  on  its  first  transition  (to  a  secure  state)  will 
loose  precision,  in  that  subsequent  secure  flows  might  not  be  permitted.  For  example,  an 
entity  confined  to  {classified, top-secret),  on  reading  a  secret  entity  could  have  its 
confinement  set  to  {secret};  the  entity  can  no  longer  be  granted  a  read  to  a  top-secret 
entity,  while  in  the  GCFM  it  should  be  permitted  since  {secret}  ®  {top-secret} 
{class, top}. 

Therefore  we  would  like  that  any  implementation  of  SMM  would  ensure  that  the  shrink¬ 
ages  of  group  confinements  during  state  transitions  are  minimal.  To  achieve  this  we  will 
propose  an  implementation  for  the  state  transition  function  T(op,s).  This  new  function 
will  firstly  determine  whether  a  particular  access  request  is  possible,  and  if  so,  define  how 
resulting  group  confinements  should  be  calculated.  Furthermore,  we  will  prove  that  the 
SMM  based  on  this  transition  function  is  precise,  i.e.,  any  system  not  secure  by  SMM  given 
this  transition  function  is  not  secure  by  the  GCFM3. 

Definition  8  Table  2  defines  the  transition  function  Req(op,  a)  which,  given  state  s,  returns 

op 

state  s',  reflecting  the  effect  of  applying  access  request  op  at  state  a.  In  this  table,  >  gives 
the  access  flows  that  could  result  if  operation  op  was  granted.  If  the  precondition  does  not 
hold,  the  operation  is  ignored,  and  state  a  remains  unchanged.  O 

Example  7  Return  to  example  2.  If  the  employee  E  requests  a  read  to  an  accounts  phone 
number,  then  we  have  {acc}  so-£,  i-e.,  the  pre-condition  on  the  request  holds,  and  thus 

^Remember  that  we  are  dealing  with  a  restricted  form  of  the  GCFM,  and  thus  the  ‘precision’  is  limited 
to  this  class  of  system 
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it  is  secure.  At  state  si ,  the  confinement  of  E  is  calculated  as 
.£  =  {acc}  ©  So-£n  sq.E 

=  {{acc}, {acc, pars}, {acc, sale}, {acc, pers, sale}} D  s0-£ 

=  {{acc}, {acc, para},  {acc, sale}} 

The  request  to  then  read  a  personell  number  is  valid  since  {pars}  s\.E,  and  at  state  S2 
E' s  confinement  is  calculated  as, 

s2  =  {para}  0  Si.£fl  s\.E 
=  {{acc, para}} 

Now,  a  request  to  read  a  sale’s  number  is  refused  since  {sale}  s2.£.  A 

Definition  8  was  arrived  at  by  the  result  of  lemma  19:  a  secure  transition  from  secure 

Op 

state  s  to  secure  state  s'  with  flows  described  by  t>  at  state  s'  is  possible  iff 

V£  e  ENTS •  ©  {s.X\X  t>  E }  ~  s.E 

and  furthermore,  that  the  resulting  state  defined  by  Req(op,s)  is  secure.  Therefore,  any 
transition  sequence  E„  of  SMM,  built  up  in  terms  of  Req(op,s),  will  only  visit  secure  states 
Si  and  only  make  secure  transitions  s,_i  to  s,  (1  <  i  <  n)  along  the  way.  Thus  any  system 
having  a  transition  function  implemented  by  Req(op,s)  will  be  secure  by  SMM,  and  hence 
secure  by  GCFM. 

Transition  function  Req(op,  s)  provides  the  basis  for  a  precise  implementation  of  GCFM. 
Theorem  3  proves  that  for  any  transition  sequence  En,  built  according  to  function  Req(op,  s) 
(which  we  represent  as  E^)  if  a  subsequent  request  op  fails  (at  state  sn)  its  precondition  then 

Op 

had  the  transition  to  state  s„+i  (with  flows  described  by  >  )  been  allowed,  the  resulting 
flows  of  E„+i  would  not  be  secure  by  the  GCFM.  Formally,  given  state  s„  reached  by  E^, 

3 £6  ENTS •  ©  { sn.2L\X  £}  s„.£  =» 

Eft+i 

~'(y£,T  C  ENTS  •  £  >  T  =>  so-£©  -so-Z!®) 

Thus  any  request  for  a  new  access  that  fails  the  precondition  on  function  Req  correctly  does 
so. 
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3.3  SMM  and  Traditional  State  Models 

There  is  a  similarity  between  the  SMM  and  traditional  state  models.  The  SMM  binds  each 
entity  to  an  element  of  a  partial  order  relation  (the  group  confinement  policy);  the  notion 
of  a  secure  state  is  defined  exclusively  in  terms  of  this  relation,  and  there  is  a  rule  based  on 
this  relation  that  defines  how  entity  binding  may  change  as  the  system  progresses.  While 
the  SMM  ‘flow  policy’  (Lq)  does  not  form  a  lattice,  it  is  partially  ordered  and  does  provide 
a  consistent  and  meaningful  treatment  of  upper  and  lower  aggregate  operators. 

The  SMM  can  implement  a  form  of  high  water  mark  policy:  if  an  entity  is  bound  to  an 
interval  (i.e.,  contains  unique  upper  and  lower  bounds  on  all  components),  then  the  test  for 
a  secure  state  becomes 

E  t>  F  =>±,.e  <  -L4.£ 

A  state  transition  s  to  s'  is  secure  if 

V£  €  ENTS •  ±,.e  <  -Lj'.e 

i.e.,  its  lowest  bound  can  only  rise.  It  is  unlike  a  high  water  mark  in  that  the  lowest 
bound  may  not  rise  beyond  the  top  of  the  confinement  interval.  Thus  an  entity  confined  to 
{classified,  secret)  cannot  sink  top-secret  information.  A  true  high  water  mark  policy 
can  be  achieved  if  the  top  of  the  interval  is  the  top  of  the  lattice  flow  policy,  allowing 
bottoms  rise  to  the  top. 

There  is  a  useful  class  of  systems  described  by  a  Bell  and  LaPadula  model[l]  that  can  be 
viewed  as  restricted  instansiations  of  the  SMM  model.  Take  a  BLP  system  where  the  flow 
model  is  described  by  a  group  confinement  policy  Lq\  subjects  and  objects  (entities)  are 
bound  to  single  elements  (groups)  of  this  policy;  the  definition  of  a  secure  state  (ss-condition 
and  ‘-property)  remain  the  same,  and  can  be  abstracted  to:  state  s  is  secure  iff 

La 

V£,F€  ENTS*E  >  F  =>  s.E  <  s.F  (10) 

where  <  is  the  (partial)  bound  order  defined  over  the  policy  Lq.  The  above  condition  for 
a  secure  state  is  stronger  than  the  definition  of  a  secure  state  in  SMM  since,  by  definition 
we  have 


A  <  B  VaeA*36€5*a<6A 

V6€B»3a€A*a  <  b 
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Finally,  we  have  a  restricted  form  of  tranquility,  whereby  security  classes  (groups)  may  only 
change  according  to  the  rule  for  a  secure  state  transition  (equation  (9)).  Now  we  have  a 
BLP-like  model  that  can  enforce  aggregation  policies. 

Note  that  we  have  not  given  any  consideration  to  how  the  policy  Lq  will  be  imple¬ 
mented.  The  confinement  group  equality  relation  and,  in  particular,  lemma  6  implies  that 
a  confinement  group  can  be  represented  by  the  smallest  set  in  its  equivalence  class.  This 
set  can  be  shown  to  correspond  to  a  set  of  disjoint  intervals  from  the  original  flow  policy, 
each  interval  covering  the  classes  contained  in  it.  In  the  case  of  the  SMM,  these  intervals 
will  have  a  common  lowest  bound — the  lowest  bound  of  the  group.  Entities  are  bound  to 
lists  of  intervals,  and  as  the  system  progresses  and  accesses  are  established,  the  intervals 
will  shrink  or  be  removed  altogether  to  reflect  the  possible  classifications  of  the  information 
held  by  the  entity. 

3.4  Denial  of  Access 

MAC  models  that  incorporate  dynamic  binding  can  suffer  from  the  problem  of  information 
flow  due  to  denial  of  access:  a  low  user  can  read  a  low  file,  however  a  high  (Trojan)  process, 
by  writing  high  information  into  the  dynamically  bound  file,  prevents  the  low  user  from 
reading  the  file,  and  thus  there  is  a  potential  for  information  flow.  With  SMM,  a  low  file 
would  be  confined  to  {/ou>},  and  thus  could  not  have  high  information  written  to  it.  To 
duplicate  the  scenario  above,  the  file  would  have  to  be  confined  to  {low,  high}.  Now  the 
low  user  can  initially  read  from  this  file.  As  soon  as  the  high  Trojan  writes  to  the  file,  it  is 
removed  from  the  purview  of  the  low  user. 

We  are  interested  in  how  group  confinement  could  be  included  in  the  Terry-Wiseman 
model  of  security[16].  In  doing  this,  we  must  address  how  flows  due  to  denial  of  access 
could  be  handelled  under  their  philosophy  for  modelling  security.  Returning  to  the  above 
scenario,  the  low  user  cannot  create  the  file  to  be  used,  since  any  entity  created  by  a  person 
should  inherit  the  confinement  of  the  person,  i.e.,  the  file  would  be  bound  to  {/ou>}.  The 
Trojan  cannot  create  the  file  to  be  used  since  it  is  an  untrusted  piece  of  software  and  thus 
would  not  possess  the  faithful  role.  Thus  to  establish  the  covert  channel,  a  faithful  entity 
(person)  confined  to  {low,  high)  would  have  to  create  the  file,  and  then  make  it  available 
to  both  the  Trojan  and  the  low  user. 

There  seem  to  be  a  number  of  ways  to  prevent  this  channel.  The  easiest  approach  is  to 
prevent  entity’s  changing  their  confinement  when  off  the  trusted  path.  This  reflects  the  fact 
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that  while  on  the  path,  entities  are  trusted  not  to  use  class  changes  to  transmit  information; 
once  off  the  path,  the  entity  cannot  be  trusted,  and  thus  security  classes  are  not  allowed 
change.  Thus  in  the  example  above,  the  high  entity  decides  what  class  of  information  (low 
or  high)  he  wants  put  into  the  file  (and  updates  its  confinement  appropriately)  before  he 
calls  the  Trojan  horse. 

Alternatively,  we  could  insist  that  any  class  changes  to  an  entity  can  only  be  done 
before  the  entity  enters  any  subset  of  the  public  domain.  Once  an  entity  is  made  available 
to  others,  its  confinement  becomes  static  and  can  no  longer  change.  This  is  the  approach 
adopted  in[ll]. 

If  the  file  is  given  to  the  low  user  or  to  the  Trojan  horse  by  the  high  user,  then  by  the 
no-signalling  rule  there  is  no  threat  of  flow  since  the  requester  (the  high  user)  is  trusted 
not  to  leak  by  using  changes  of  control  information.  However,  the  high  user  is  giving  to  the 
low  user  an  entity  that  can  be  used  to  to  establish  a  covert  channel.  While  the  high  user 
can  be  trusted  not  create  a  channel  based  on  controls  from  high  to  low,  a  low  user  cannot, 
and  thus  the  low  user  should  not  be  given  an  entity  with  confinement  {low,  high}.  The  low 
user  may  however  be  given  the  file  confined  to  {low}  or  {high}.  This  requirement  needs  to 
be  formally  captured  in  the  no-signalling  rule. 

There  is  another  type  of  flow  due  to  denial  of  access  that  is  not  captured  by  any  of  the 
above  approaches.  Example  6  illustrated  how  a  quantity  based  aggregation  policy  could 
be  described  in  terms  of  group  confinement.  The  security  mechanism  did  not  consider  the 
possible  problem  of  inferences  that  can  be  made  from  denial  of  access.  An  employee  having 
accessed  accounts  and  personell  information  might  deduce  that  Jones  is  a  member  of  the 
sales  department  if  access  to  his/her  number  is  denied.  Thus  if  inference  controls  are  to 
be  included,  they  must  consider  how  inferences  can  be  made,  not  only  about  functional 
information  in  the  system,  but  also  about  control  information  (confinement  etc). 

Information  flows  due  to  denial  of  access  is  a  area  for  future  work. 

3.5  Other  State  Based  Refinements  of  GCFM 

The  SMM  is  one,  allbeit  restricted,  refinement  of  the  group  confinement  model.  It  is 
restricted  both  in  the  kind  of  confinement  it  can  enforce  (v()  must  hold)  and  also  in  its 
interpretation  of  information  flow  (transitive  and  reflexive).  However,  we  have  seen,  and 
will  see  in  section  5  that  it  can  enforce  many  useful  security  policies.  This  section  considers 
how  these  restrictions  on  SMM  might  be  avoided.  Rather  them  proposing  any  concrete 
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refinements,  we  will  discuss  possibilities  for  other  refinements,  some  of  which,  we  hope  to 
develop  formally  in  the  near  future. 

3.5.1  Information  Flow 

£ 

Consider  the  detintion  of  information  flow  (  >  )  in  SMM.  This  relation  is  transitive  in  the 
sense  that  information  that  flows  into  an  entity  can  be  extracted  from  that  entity  at  a  later 
state.  This  is  a  reasonable  assumption  for  system  objects  such  as  files — information  sunk 
to  a  file  is  generally  done  so  that  it  can  be  retrieved  later.  In  the  SMM  entities  can  be 
thought  of  as  memorable — information  that  flows  out  of  an  entity  could  have  been  sunk  by 
that  entity  during  an  earlier  state. 

However,  this  reasoning  need  not  apply  to  people.  A  person  who  is  confined  to  group 
{secret,  top-secret}  is  trusted  to  handel  secret  and  top-secret  information  appropriately 
(by  the  very  fact  that  he/she  is  confined  to  this  group).  Such  an  person  is  trusted  not  to 
source  top-secret  information  as  secret,  whether  that  top-secret  information  originated  from 
within  the  system,  or  as  some  information  from  outside  the  system.  This  degree  of  trust 
can  also  be  extended  to  any  trusted  process  operating  on  the  user’s  behalf.  For  example, 
if  the  window  system  software  is  certified  and  trusted  to  behave  appropriately,  then  a  user 
confined  to  {secret,  top-secret}  should  be  allowed  to  read  and  write  simulaneously  to 
a  secret  and  top-secret  windows  on  the  terminal  screen.  The  user  is  trusted  not  to  read 
the  top-secret  window  and  re-type  its  information  into  the  secret  window.  Note  however, 
that  the  user  should  not  be  permitted  to  use  any  system  software  to,  for  example,  cut 
a  portion  of  the  top-secret  window  and  paste  it  into  the  secret  window.  In  this  latter 
case,  an  information  flow  is  generated  in  the  system  as  a  result  of  the  functionality  of  the 
windowing  software  and  the  flow  policy  must  be  applied.  Therefore,  our  notion  of  trust 
does  not  permit  arbitrary  downgrades,  unless  the  user  is  willing  to  manually  re-type  the 
top-secret  information  as  secret,  and  in  which  case  it  would  probably  be  easier  to  transmit 
the  information  using  some  other  medium  (for  example,  a  telephone). 

We  view  people  as  memoryless — information  sourced  by  a  person  can  be  viewed  as 
independant  of  any  information  sunk  by  that  person  during  an  earlier  state.  Recall  the 
interpretation  of  the  flow  relation  >  in  GCFM,  as  representing  the  flows  to  which  the 
information  flow  policy  is  to  be  applied.  In  the  case  of  memoryless  people,  once  information 
leaves  the  system,  it  is  assumed  never  to  re-enter  inappropriately,  and  thus  the  flow  policy 
need  not  be  applied  to  these  flows.  Note  that  while  people  may  be  considered  memoryless  in 


terms  of  other  entities,  they  can  remember  information  for  their  owm  purposes:  In  example 
2  the  system  operator  is  bound  to  {long.lat}.  When  he  reads  longitude  information  he  can 
remember  it  at  later  states  and  thus  must  be  prevented  from  reading  latitude  information. 
The  operator  is  trusted  to  handel  longitude  or  latitude  information  appropriately,  but  not 
both.  If  ENTSm  returns  the  set  of  memorable  entities  from  ENTS\  E  >  F  identifies  the 
flows  due  to  accesses  at  state  s;  then  the  flows  as  a  result  of  a  transition  sequence  £„  can 
be  defined  as 


(3 G  €  ENTSm  *E  >'  GAG  >F) 

VE  t> : 1  F  V  E  >  F  if  n  >  0 

E  t>  F  otherwise 

€>F  =  3 Zn*VEe£,FeF»EL>  F 

£«  j  ^ 

Note  how  the  ( E  t >  F  V  E  >  F)  part  reflects  the  fact  that  a  memoryless  entity  can 
remember,  for  its  own  purposes,  some  information  that  could  form  part  of  a  useful  aggregate. 

Given  this  definition,  it  is  possible  for  two  memoryless  entities  with  similar  confinements 
to  cooperate  and  learn  information  that  individually  they  should  not  have  access  to.  Con¬ 
sider  example  2,  where  there  are  two  operators  Ol  and  02  each  confined  to  {long.lat}. 
01  is  permited  to  read  longitude  information  and  forward  it  to  02  as  latitude  information, 
who  in  turn  may  read  real  latitiude  information,  resulting  in  access  to  a  coordinate.  Even 
if  these  entities  were  memorable,  similar  flows  could  be  generated:  01  reads  longitude, 
02  reads  latitude,  and  they  compare  values  later  in  the  canteen.  Since  the  entities  have 
the  same  confinement  they  can  be  expected  to  collude.  This  problem  can  be  circumvented 
by  the  careful  use  of  persistent-knowledge  environments^  5].  We  could  assume  that  if  the 
operators  are  going  to  collude  ,  they  most  likely  share  the  same  terminal,  local  network,  or 
building.  Thus  we  could  assign  and  maintain,  in  the  case  of  the  terminal,  a  group  confine¬ 
ment  indicating  the  information  that  has  been  processed  at  the  terminal.  As  accesses  are 
made  by  its  operators,  its  confinement  will  change.  We  do  not  need  any  special  confinement 
mechanism  for  persistent  knowledge  environment  labels,  since  a  terminal  can  be  treated  as 
just  another  entity — a  source  and  sink  of  information.  We  would  have  a  similar  treatment 
for  people.  A  (memoryless)  person  confined  to  {long.lat}  creates  two  windows  on  the 
screen.  When  the  person  reads  longitude  information  through  one  window,  the  window’s 
confinement  will  change  to  {long},  as  well  as  the  user’s  confinement  (since  there  is  a  flow 
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from  the  longitude  information  to  the  person).  This  prevents  the  user  displaying  latitude 
information  in  the  other  window.  Note  that  if  we  are  modelling  the  terminal  as  an  en¬ 
tity,  then  its  confinement  would  also  change  to  {long},  preventing  another  person  reading 
latitude  information  at  that  terminal. 

Another  class  of  memoryless  entity  is  one  where,  even  though  it  does  ‘forward'  informa¬ 
tion  using  the  system,  it  is  trusted  not  to  forward  anything  valuable.  An  example  of  such 
an  entity  is  a  (trusted)  encryption  process  which  sinks  secret  information  (plain  text)  and 
sources  unclassified  information  (cipher  text).  This  process  is  certified  to  behave  appropri¬ 
ately  and  thus  can  be  considered  memoryless.  Again,  this  reflects  the  interpretation  for  t> 
as  representing  the  flows  in  the  system  to  which  the  flow  policy  must  be  applied.  Careful 
use  of  memory  less  entities  provide  a  form  of  controlled  violation  of  the  information  flow 
policy — an  unclassified  user  can  only  discover  encrypted  secrets.  This  idea  is  considered 
further  in  section  6 

In  this  section  we  have  only  proposed  the  notion  of  memorable  and  memoryless  entities, 
and  the  nature  of  the  information  flows  between  them.  We  have,  as  yet,  to  define  the  the 
necessary  and  sufficient  conditions  for  a  secure  state  and  secure  transition.  This  is  one 
refinement  of  GCFM  we  believe  to  be  worthwhile,  and  one  we  intend  to  do  in  the  near 
future. 

3.5.2  Confinement 

The  SMM  can  cater  only  for  a  restricted  form  of  confinement:  confinement  groups  must 
include  an  element  that  is  a  lower  bound  on  the  other  members  of  the  group.  With  this 
restriction  in  place  SMM  is  a  valid  and  precise  refinement  of  GCFM. 

If  the  restriction  is  removed,  then  SMM  is  no  longer  a  valid  refinement.  This  can  be 
illustrated  by  the  following  example:  a  system  has  entities  and  confinements  based  on  the 
flow  policy  from  example  2, 

El  =  {long.lat}  A  =  {long} 

El  =  {long.lat}  2?  =  {lat} 

The  SMM  can  prevent  entity  El  learning  joint  longitude  and  latitude  information  (i.e., 
a  coordinate),  but  cannot  prevent  El  sourcing  both  longitude  and  latitude  information: 
consider  the  flows 

El  t>  E2  E2  t>  A  £1  t>  B 
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here,  information  from  El  flows  to  A  and  B,  and  while  such  a  flow  would  be  permitted  in 
a  SMM-like  model,  it  is  not  allowed  by  the  GCFM. 

It  was  the  above  class  of  flow  that  lead  us  to  adopt  the  restriction  on  group  confinement. 
The  restriction  allows  the  security  requirement  to  be  re-written  as 

C  ENTS,  F  €  ENTS  •  £  >  {F}  =►  £3  £ 

allowing  us  to  ignore  the  calculation  of  lower  aggregates  for  sinks  ,  and  thus  avoids  the 
problem  noted  above. 

A  valid  state  based  model  that  does  not  have  restrictions  on  confinement  groups  can  be 
built  by  modifying  the  SMM  appropriately.  To  capture  flows  such  as  the  above  (i.e.,  flows  to 
aggregates)  each  entity  E  would  require  a  history  of  the  entities  that  originally  sourced  the 
information  held  by  E.  Given  this,  when  the  flow  E2  >  A  occurs  above,  the  confinement  of 
El  and  E 2  must  change  (to  {long})  so  that  their  aggregate  sourced  information  can  flow 
to  A.  The  aim  of  such  a  mechanism  would  be  to  result  in  a  property  such  as 

V£,  F  e  ENTS  •  £>/’=>  sn.E  <  sn.F 

£ 

so  that  when  the  aggregates  are  calculated  (£  >  T)  it  would  ensure  that  the  security 
requirement  of  GCFM  is  upheld,  since  for  groups  A,B,C,D  we  have 

(A  <  CAA  <  DAB  <  CAB  <  D)  =»  (A®  B  C  <g>  D) 

With  this  approach,  we  have  a  loss  of  precision  due  to  the  stronger  definition  of  a  secure 
state,  and  except  possibly  for  the  case  of  certification^, 13],  it  is  not  a  practical  approach 
since  the  history  of  all  information  flows  would  need  to  be  maintained  by  the  system  at 
run-time. 

An  alternative  to  the  above  is  to  strengthen  the  notion  of  a  secure  state  further  so  that 
state  s  is  secure  iff 

VE,  F  €  ENTS  *E  >  F  =>  Ve  6  J.£,  /  €  s.F  =>  e  <  f 

With  this  restriction,  once  a  flow  is  allowed  during  a  state,  it  will  be  be  permitted  in  all 
subsequent  states  since  the  entire  confinement  group  of  F  strictly  dominates  every  class  of 
«.£,  and  their  shrinkage  as  the  system  progresses  will  have  no  affect  on  this  ordering.  Thus 
the  property 

V£,  F  6  ENTS  sn.£  <  sn.£ 
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holds,  and  a  system  secure  by  the  above  will  also  be  secure  by  GCFM.  However,  while  the 
approach  might  initially  appear  attractive  it  is  not  at  all  precise  and  furthermore,  unlike  the 
SMM,  the  transition  function  does  not  lend  itself  to  a  clean  implementation:  flows  between 
entities  with  confinement  {long,  1st}  would  require  that  their  confinement  change  to  either 
{lat}  or  {long},  imposing  a  commitment  on  the  class  of  the  flow  betwen  the  entities  before 
the  nature  of  the  flow  (whether  longitude  or  latitude)  is  known. 

The  SMM  model,  restricted  as  it  is,  does  provide  a  framework  for  enforcing  a  variety  of 
useful  flow  policies.  We  believe  that  the  policies  that  it  cannot  enforce  (i.e.,  v()  does  not 
hold  for  group  cofinements)  are  either  un-interesting  (in  the  sense  that  we  cannot  And  any 
useful  application)  or  could  be  implemented  as  part  of  an  integrity  policy. 

Consider  the  kinds  of  confinements  that  cannot  be  enforced  by  SMM.  Such  a  confinement 
group  C  will  have  an  a,  6  €  C  but  a  A  6  g  C.  Thus  an  entity  Ec  confined  to  C  can  source 
or  sink  information  of  class  a  or  6,  but  cannot  source  or  sink  information  of  class  a  A  b. 
Now  consider  entities  Ea,Eb  confined  to  A  =  {a}  and  B  =  {6}  respectively.  Entity  Ec  can 
source  to  E a  or  Eb,  but  not  both.  What  would  this  sourcing  correspond  to  in  a  system? 
If  it  corresponds  to  a  direct  write  by  entity  Ec  to  entities  Ea  and  Eb,  then  this  n*person 
control  is  an  integrity  control  and  could  be  enforced  as  part  of  an  integrity  policy  (see 
section  6).  If  the  sourcing  corresponds  to  a  flow  from  a  read,  whether  direct  or  indirect  (for 
example  a  covert  channel),  then  is  the  security  control  useful?  We  have  something  passive 
like  a  read  of  Ec  by  Ea  at  one  state  preventing  a  read  of  Ec  by  another  entity  (Eb)  at  a 
later  state.  Further  work  needs  to  be  done  to  determine  if  such  policies  can  be  put  to  any 
use,  and  if  so,  how  a  pratical  model  to  enforce  them  could  be  built. 
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4  Reflexive  Flow  Policies 

Confidentiality  security  i6  concerned  with  restricting  the  disclosure  of  information  in  sys¬ 
tems.  One  way  of  achieving  this  is  to  use  an  information  flow  policy[6]  which  can  be  thought 
of  as  defining  the  different  classes  or  kinds  of  information  that  can  exist  in  the  system  and 
how  they  may  propagate.  An  example  of  this  is  the  military  flow  policy  which  defines  a  set 
of  security  classes  which  represent  the  sensitivity  of  the  information  in  the  system,  and  an 
ordering  relation  which  describes  relative  sensitivity.  A  flow  relation  (_  J  defines  how 
information  may  propagate  and  is  interpreted  as: 

for  classes  a,  6,  then  a  **  b  means  that  information  is  permitted  to  flow  from 
class  a  to  class  b. 

Rather  than  thinking  of  these  classes  of  information  as  just  security  classes  (as  in  the 
traditional  sense),  we  should  think  of  them  as  a  way  of  associating  a  simple  representation 
of  meaning  with  the  information  in  the  system.  For  example,  a  student  computer  system 
might  have  information  of  class  exams,  results,  assignments,  etc,  and  a  flow  relation  which 
describes  the  allowable  propagation  of  information  between  classes. 

Formally,  if  R  is  an  information  flow  policy,  then  aR  is  the  set  of  security  classes, 
and  (a,  6  €  afl)  a  b  gives  the  flow  relation.  A  flow  relation  is  trivially  reflexive,  since 
information  should  always  be  allowed  flow  between  the  same  security  class.  In  [6],  Denning 
argues  that  a  flow  relation  should  be  transitive.  However  Foley[10]  proposes  a  number  of 
flow  policies  that  use  a  non-transitive  flow  relation.  In  later  sections  (4.1  and  5)  further 
examples  of  non-transitive  flow  policies  will  be  given.  Therefore,  we  will  opt  for  the  most 
general  case  where  a  flow  relation  need  not  be  transitive. 

Two  security  classes  from  an  information  flow  policy  can  be  considered  equivalent  if 
their  flow  relations  with  all  other  security  classes  are  identical.  We  will  make  the  reasonable 
assumption  that  a  flow  policy  does  not  contain  any  equivalent  security  classes,  i.e., 

Va,  b  €  aR  •  (Vx  €  qR  •  (x  a  o  x  ft)  A  (a  x  6~x))=>a  =  6 

We  call  this  requirement  pseduo-antisymmetry,  because  if  the  policy  is  transitive,  then  this 
requirement  becomes  one  of  antisymmetry. 

Given  that  a  flow  policy  R  is  reflexive  and  pseduo-antisymmetric,  then  the  combination 
of  information  at  class  a  £  aR  with  information  at  class  6  €  aR  should  result  in  information 
at  a  class  d  €  <*R  that  forms  an  upper  bound  on  a  and  6,  i.e.,  a  d  A  6  d.  As  R  may 
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not  be  transitive,  d  should  also  form  an  upper  bound  on  all  classes  that  are  dominated  by 
a  or  6,  since  information  at  class  a  or  b  may  have  originated  from  a  lower  class.  Similarly,  if 
the  combined  information  (originally  from  classes  a  and  6)  at  this  class  d  may  flow  to  some 
class  c,  then  individual  flows  from  a  to  c  and  from  b  to  c  must  also  hold.  These  observations 
give  rise  to  the  following  definition. 

Definition  9  A  class  d  is  an  upper  bound  on  a  and  b  from  the  policy  R  if  d  is-upper  a,  b, 
where 


d  is-upper  a,b  =  Vc  €  a  R  •  c-'>aVc~*6=>c~*dA 
Vc  €  a  R  •  d~^  c  =>  a^cA6~*c 

A  similar  definition  can  be  given  for  lower  bounds.  A  class  d  is  a  lower  bound  on  classes  a 
and  b  from  the  reflexive  policy  R  if  d  is-lower  a,  6,  where 

d  is-lower  a,b  =  Vc  €  aR  •  a'v*cV&~»c=>d''-*cA 
Vc  €  cstR  •c~>d=^c-'->aAc~*6 

We  can  generalize  these  conditions  in  terms  of  a  bound  order  relation:  security  class  a  is  a 

R 

lower  bound  of  security  class  b  in  policy  R  if  a  <  b,  where 

R 

a  <  b  :=  a  is-lower  6,  b 


The  bound  order  relation  of  a  policy  is  a  partial  order,  and  the  following  laws  hold:  for 
a,6,c  e  aR  then 

a  <  b  =>  a  6 
a  <  b  b  is-upper  a,  a 
a  <  b  A  a  <  c  o  a  is-lower  6,  c 

Note  that  we  can  rewrite  the  pseudo-antisymmetry  requirement  in  terms  of  bound  order  as 

Va,6€o:i2«a  <  6a6  <  a=>a  =  b 

Thus  if  policy  R  is  antisymmetric  under  <  it  is  pseudo-antisymmetric  under 

A  pair  of  security  classes  can  have  a  number  of  upper  bounds.  The  lowest  of  all  these 
gives  the  lowest  upper  bound  which  provides  us  with  the  basis  for  security  class  combination. 


Definition  10  A  class  d  forms  a  lowest  upper  bound  on  classes  a  and  6  from  policy  R  if 

'id'  6  aR  •  is-upper  a,b=>  d  <  d' 

A  class  d  forms  a  greatest  lower  bound  on  a  and  b  if 

id1  6  aR  •  d!  is-lower  a,b=>  d'  <  d 

Note  that  the  antisymmetry  of  bound  order  ensures  that  d  above  is  unique.  O 

Definition  11  An  information  flow  policy  forms  a  reflexive  lattice  if  its  flow  relation  is 
reflexive  and  pseduo- antisymmetric,  and  every  pair  of  components  have  unique  lowest  upper, 
and  greatest  lower,  bounds.  O 

Note  that  if  R  is  a  reflexive  lattice  then  the  set  of  security  classes  ordered  by  the  bound 
order  forms  a  lattice  with  bound  operators  defined  by  the  existing  bound  operators  of  R. 

4.1  Transforming  Flow  Policies 

The  group  confinement  model  is  defined  in  terms  of  a  (partial  order)  lattice  information  flow 
policy.  In  this  section  we  will  show  how  an  arbitrary  reflexive  relation  can  be  transformed 
into  a  reflexive  lattice,  and  how  this  can  be  enforced  within  the  group  confinement  model. 
Before  giving  a  general  approach,  we  will  first  show  how  relations  that  are  transitive  and 
reflexive  can  be  transformed  into  lattices. 

4.1.1  Transforming  Quosets  into  Lattices 

In  this  section  we  will  give  three  different  approaches  to  transforming  a  quoset  (reflexive 
and  transitive  relation)  into  a  lattice.  The  first  two  are  based  on  Birkoff[4)  and  Denning[7]. 
The  third  is  a  new  transformation.  All  these  transformations  preserve  the  orderings  in  the 
original  information  flow  policy,  but  treat  existing  upper  and  lower  bounds  from  the  quoset 
flow  policy  differently. 

BirkofF  Transformation 

Definition  12  Given  an  arbitrary  quoset  Q ,  with  ordering  relation  <  ,  define  a  function 

fq-.aQ^VaQ  fq(a)  =  {6|6  <  o} 

which  maps  Q  to  the  powerset  of  aQ.  We  will  drop  the  subscript  from  fq  to  give  P  if  no 
ambiguity  can  arise.  O 


33 


c 


a  b 

Figure  3:  Quoset  Q 


The  resulting  lattice  from  the  transformation  is  the  powerset  lattice  V  aQ  with  ordering 
relation  C,  lowest  upper  and  greatest  lower  bound  operators  U  and  n  respectively.  That 
the  mapping  f  preserves  the  orderings  defined  by  the  quoset  is  proven  in  [4],  i.e., 

Va,6eaQ*a  <  b  f  (a)  C  f  (6) 

Note  that  there  is  a  dual  of  this  flow  preserving  mapping  from  aQ  to  V  aQ  defined  as 

<fQ:a Q-+VQ  <£(a)  =  {6|a  <  6} 

We  will  generally  use  the  mapping  /** . 

Example  8  A  quoset  Q  has  alphabet  {a,b,  c}  and  orderings  as  defined  in  figure  3.  This 
policy  is  mapped  to  the  powerset  lattice  V  {abc}  by  the  mapping 

f  (a)  =  {a}  f  (b)  =  {b}  f  (c)  =  {abc} 

Note  how  the  orderings  in  Q  are  preserved  by  the  mapping.  For  example,  we  have  a  <  c 
and  {a}  C  {abc}.  However,  the  ‘intuitive’  lowest  upper  bound  of  a  and  b  is  not  /”(c)  in 
the  lattice,  but  {ab}  C  J*  (c). 

Thus,  if  we  were  to  use  this  technique  to  convert  a  quoset  flow  policy  into  a  lattice  for 
use  in  the  GCFM,  we  must  be  aware  of  this  ‘side  effect’  where  the  apparent  lowest  upper 
and  (greatest  lower)  bounds  of  the  flow  policy  may  not  correspond  to  the  lowest  upper  and 
(greatest  lower)  bounds  in  the  lattice.  Of  course,  in  some  instances  this  is  is  necessary  if, 
in  the  original  quoset,  elements  have  more  than  one  lowest  upper  bound.  For  example, 
suppose  that  both  a  and  b  above  can  also  flow  to  an  element  d,  then  in  Q,  a  and  b  do  not 
have  a  unique  lowest  upper  bound.  However,  in  the  powerset  lattice,  {ab}  is  their  lowest 
upper  bound,  which  in  turn  is  dominated  by  both  /p(c)  and  fid).  A 

An  advantage  of  having  our  policy  as  a  powerset  lattice  is  that  it  can  easily  be  im¬ 
plemented  in  terms  of  bitwise  comparisons  and  operations  on  sets.  There  is,  of  course, 
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a  problem  in  implementing  very  large  flow  policies:  each  security  class  requires  \a Policy \ 
bits.  In  the  group  confinement  model  we  are  not  storing  a  single  security  class  for  each 
entity,  but  a  list  of  security  classes.  This  list  (at  worst  case)  could  range  from  a  single 
component  to  |aPo/icy|  components — the  case  where  every  class  in  the  policy  is  disjoint 
(thus  no  advantage  can  be  taken  of  class  covering),  and  the  entity  is  confined  to  the  group 
{{x}|x  6  aPolicy).  Perhaps  large  policies  could  be  specified  as  a  hierarchy  of  flow  policies, 
each  with  their  own  orderings  as  well  as  orderings  between  individual  policies.  Such  policies 
might  find  application  in  large  networks,  where  nodes  have  local  flow  policies,  in  addition 
to  net- wide  policies. 

Denning  Transformation 

Denning’s  transformation  is  similar  to  Birkoff ’s  detailed  above,  however  instead  of  mapping 
to  the  entire  powerset  lattice,  the  minimal  subset  of  the  powerset  is  taken,  such  that  it 
includes  the  set  of  mapped  components  f3  (x)  ( x  £  aQ)  along  with  necessary  lowest  upper 
and  greatest  lower  bounds.  The  transformation  is  performed  in  two  stages: 

1.  (Birkoff[4])  Transform  the  quasi  ordered  set  Q  into  a  partially  ordered  set  (poset)  P 

by 

(a)  Define  an  order  preserving  mapping  f3  (x)  from  a Q  to  2®  as 

fix)  =  {y|y  €  aQ  Ay  <  x} 


(b)  Define  poset  P  as 


<*P  =  {/*(*) I*  €  aQ) 


and  an  ordering  relation  defined  by  subset  i.e.,  for  X,Y.  £  aP  then 

X  <  Y  o  X  C  Y 


The  mapping  f3  (x)  from  Q  to  P  preserves  the  ordering  relation[4]  i.e., 
Vx,y(x,y  €  aQ  =»  x  <  y  f  (x)  <  f(y)) 


2.  (Denning[7j)  The  poset  P  can  be  transformed  into  a  lattice  L  with:  subset  as  the 
ordering  relation,  union  as  the  lowest  upper  bound  operator,  and  intersection  as  the 
greatest  lower  bound  operator.  The  steps  are: 
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b  c 


Figure  4:  Quasi  Ordered  set  Q,  and  mapping  f  (x) 

(a)  Add  components  H  =  oQ,  and  L  =  {}  to  aP. 

(b)  Define  the  set  of  successors  common  to  sets  of  classes  X  and  Y  of  poset  P  as 
s(A',F),  where 

s(X,Y)  =  {Z\Z  £aP  AXUY  C  Z} 

(c)  let  W  =  fls(AT,  Y).  If  w  €  s(X,Y).  then  class  X  and  Y  have  class  W  as  their 
lowest  upper  bound  in  P,  otherwise  they  have  none,  so  add  W  to  aP. 

It  can  be  proven  that  this  expansion  of  P  terminates  and  that  the  orderings  of  the 
original  policy  are  preserved  by  mapping  f3  (x). 

Example  9  The  policy  of  example  8  can  be  transformed  into  the  lattice  with  components 
{},  {a},  {b}  and  {abc}.  Here,  the  original  lowest  upper  bound  of  a  and  b  are  preserved  in 
the  lattice  as  fp  (c).  A 

Example  10  Figures  4  and  5  show  the  transformations  from  a  quoset  Q  to  a  lattice  L. 

A 

When  we  construct  a  flow  policy  we  define  all  the  different  classes  (kinds)  of  information 
that  can  exist  in  the  system  and  define  a  flow  relation  over  them.  We  may  not  wish  to  define 
what  the  precise  upper  and  lower  bounds  are.  In  example  8,  we  define  that  information 
of  class  a  may  flow  to  c  and  that  information  of  class  b  can  also  flow  to  c.  Should  this 
imply  a  commitment  to  having  c  as  the  lowest  upper  bound  of  a  and  b?  We  think  not4. 

*Our  argument  in  favour  of  Birkoff’t  transformation  is  applicable  only  to  the  work  presented  here,  and 
in  particular  the  group  confinement  model.  There  are  situations  where  it  it  desirable  to  preserve  as  much  of 
the  structure  of  the  original  policy  as  possible,  and  Denning’s  transformation  must  be  used.  A  case  in  point 
is  the  work  in  [15] 
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{a,b,c,d,e} 


{*} 

Figure  5:  Poset  P  and  Lattice  L 


Birkoff’s  transformation  allows  the  lowest  upper  bound  of  a  and  b  to  denote  a  class  that 
corresponds  to  the  composition  of  information  of  class  a  and  b  (which  may  flow  to  c).  With 
Denning’s  transformation  we  loose  this  fine  granularity,  and  can  only  talk  about  the  class  c 
representing  information  at  class  c  or  the  combination  of  information  at  classes  a  and  b.  If 
a  large  policy  is  to  be  built,  then  we  feel  that  it  is  easier  to  think  of  the  restrictions  in  terms 
of  just  a  collection  of  flow  relations  (a  may  flow  to  b,  etc.)  than  having  to  also  consider 
aggregates  and  how  they  interact. 

Example  11  An  information  system  holds  medical  financial  and  personell  details.  The  flow 
policy  has  an  alphabet  {med, fin, per),  and  each  class  is  disjoint  from  one  another.  Using 
Denning’s  transformation,  two  additional  classes  will  be  added,  namely  H  which  denotes 
the  universal  upper  bound,  and  L  the  universal  lower  bound.  Given  this  basic  policy,  we 
cannot  distinguish  between  information  that  originated  from  medical  and  financial  sources 
or  medical  and  personell  sources.  Consider  an  entity  confined  to  the  group 

{(med  V  fin),  (med  V  per)} 

which  represents  a  person  who  is  allowed  read  medical  and  financial  or  medical  and  personell 
information,  but  not  everything.  If  we  build  the  policy  using  Denning’s  transformation  the 
confinement  is  implemented  as 

{F (®ed)  V  f  (fin),  f  (med)  V  (per)}  =  {H,H}  =  {H} 
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which  does  not  capture  our  intention.  However,  if  we  transform  to  the  complete  powerset 
lattice,  then  our  desires  are  realized,  with  the  entity  bound  to 

{</*>(med)U  /’(fin), /’(mad)  U  /”(per)}  =  {{med.f in},  {mad, per}} 

Note  that  if  we  had  started  out  with  a  powerset  lattice  (as  was  done  in  example  6)  this 
problem  would  not  have  occurred.  However,  remember  that  we  should  think  of  a  flow 
policy  as  defining  the  different  kinds  of  information  that  can  exist  in  the  system  (medical, 
financial,  etc.),  and  how  they  may  flow.  The  Birkoff  transformation  will  incorporate  how 
the  aggregates  may  flow.  A 

Continuing  with  the  last  example,  but  considering  Birkoff’s  transformation,  the  group 
confinement 

{(mad  A  fin),  (mad  A  per)} 

would  be  transformed  to 

{f  (med)  r\f  (fin),  f(med)  Of  (per)}  =  {{},{}}=  {{}} 

loosing  our  desire  to  restrict  flows  to  medical  and  financial,  or  medical  and  personell.  Thus, 
while  Birkoff’s  transformation  provides  a  general  treatment  for  the  lowest  upper  bounds  of 
classes  from  the  original  policy  it  is  not  consistent  for  greatest  lower  bounds.  That  is,  given 
classes  a  and  6,  then  f’  (a)  U  f3  (b)  is  the  upper  bound  on  only  a,  b  and  anything  they  are 
bounds  on;  f  (a)  n  f3  (b)  is  a  lower  bound  on  a  and  b  and  anything  they  are  bounded  by, 
but  may  also  be  a  lower  bound  on  a  class  they  are  disjoint  to.  Put  formally,  given  arbitrary 
quoset  Q  and  mapping  f3  to  powerset  lattice  VaQ,  then 

VA,BCaQ.A  I  B  =>  (U{/P(a)|a  €  A))  I  (U {f  (b)\b  £  B})  (11) 

where  (a,  6  6  oQ)  a  \  b  implies  that  classes  a  and  b  are  disjoint,  i.e., 

a}6  =  -ia<6A->6<a 

this  can  be  extended  to  sets  of  classes,  such  that  given  A,BC  qQ 

A  I  B  =  Va  G  A,VbeB*a  J  6 

Equation  (11)  tells  us  that  given  collections  of  classes  A  and  B  that  are  disjoint  from  one 
another,  then  their  lowest  upper  bounds  are  also  disjoint  from  one  another.  For  example, 
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{fin, mad}  and  {per}  are  disjoint  and  so  is  their  respective  lowest  upper  bounds  in  the 
powerset  lattice.  However  this  law  does  not  hold  for  greatest  lower  bounds,  i.e., 

VA,BCaQ*A  \  B  =>  (n{f  (a)\a  e  A})  J  {n{f(b)\b  €  B})  (12) 

does  not  hold  for  the  powerset  lattice  as  confirmed  above5. 

The  next  section  proposes  a  new  transformation  that  provides  a  uniform  treatment  of 
greatest  lower  and  lowest  upper  bounds. 

Symmetric  Powerset  Lattices 

Definition  13  Define  a  symmetric  powerset  lattice  based  on  the  set  of  elements  S  as  Vs  5, 
with  alphabet 

avss  =  {(x,y)|*,y  evs) 

If  A  G  aVsS  then  let  ( AL,AH )  denote  A.  For  A,  B  €  aVs  S  define 

A  <  B  =  At  D  Bl  A  Ah  C  B„ 

A\f  B  =  (At  D  Bl,Ah  U  Bh) 

A  A  B  —  (At  U  jB/,,  Ah  PI  Bh 

Vs  S  forms  a  distributive  complementable  lattice,  with  partial  order  <  ,  and  lowest  upper 
and  greatest  lower  bound  operators  V  and  A  respectively.  O 

Definition  14  Given  an  arbitrary  quoset  Q,  define  a  flow  preserving  mapping  f’s  as 

Jq  '■  aQ  —  “(Vs  aQ)  (x)  =  (^q(x),  /q(*)) 

where  functions  (p  and  /’'  are  defined  in  the  previous  section.  O 

The  mapping  f’s  preserves  the  flows  of  it  domain,  i.e., 

Va.igaQsa  <  b  o  f*s  (a)  <  f>s  (6) 

Furthermore,  if  collections  of  classes  are  disjoint  from  one  another  then  so  are  their  lowest 
upper  and  greatest  lower  bounds,  i.e., 

VA,B  C  otQ  •  A  J  B  =>  (V  {/*(a)|a  e  4})  \  (V  {fs{b)\b  €  B)) 

_  (A{fs(a)|ae>l})  1  (*{rs(b)\b£B}) 

5  An  interesting  point  is  that  if  we  use  the  dual  mapping  gp  then  law  (12)  does  hold  while  law  (11)  does 
not.  This  suggests  how  to  construct  the  new  transformation. 
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Example  12  The  flow  policy  described  in  example  11  can  be  transformed  to  the  symmetric 
powerset  lattice  Vs  {med,f  in,  per}  with  mapping, 

/^(med)  =  ({med},  {med}) 
f>s  (fin)  =  ({fin}, {fin}) 

Fs  (Par)  =  ({per}, {per}) 

Some  (disjoint)  greatest  lower  bounds  are 

(med)  A  ^  (f  in)  =  ({med,f in},  {}) 
fs  (mad)  A  fs  (per)  =  ({med,per},  {}) 

and  entity  confined  to  group  {med  A  fin, med  A  per}  will  be  confined  to 

{({med, fin},  {}),({med,per},  {})} 

in  the  model,  and  we  get  the  desired  flow  controls.  A 

4.2  Transforming  Reflexive  Relations  into  Lattices 

The  group  confinement  model  was  defined  in  terms  of  a  (partial  order)  lattice  based  flow 
policy.  This  section  will  show  how  an  arbitrary  reflexive  relation  can  be  transformed  into 
a  reflexive  lattice,  and  enforced  within  the  group  confinement  model.  We  will  base  our 
transformation  on  the  powerset  lattice.  The  appendix  gives  full  details  on  how  a  reflexive 
policy  can  be  mapped  to  a  symmetric  powerset  lattice.  For  the  sake  of  clarity  we  have 
choosen  to  present  the  less  complex  of  the  two  approaches. 

Given  a  reflexive  flow  policy  R,  construct  a  group  confinement  flow  policy  (section  2) 
built  from  the  powerset  lattice  of  the  set  of  security  classed  defined  by  R.  The  alphabet  of 
this  lattice  Rg  is, 

aRg  =  {*|A'CPaJl}-{} 

and  has  a  flow  relation  (defintion  2)  defined  as  (A,  B  €  aRg), 

A%  B  #3X  6  A,Y  €  B*X  CY 

(note  that  subset  is  the  ordering  relation  on  the  ‘base’  policy  qR  for  GCFM).  This  flow 
relation  has  a  bound  order  defined  by  the  partial  ordering  relation  <  on  Rg  since  by 
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definition  3, 

A  §  B  o  VX*X& A=*  X&  B  A 
VXtB&X^-A&X 

We  know  from  section  2  that  Rq  does  not  form  a  lattice,  but  if  we  consider  only  group 
confinements  that  form  intervals  on  VaR ,  i.e.,  for  each  confinement  A, 

31, he  A»Vx  e  A*  l  <  X  AX  <  h 

Then  the  set  of  all  such  confinements  are  closed  over  0  and  ®,  and  it  forms  a  sublattice  (an 
interval  lattice[10]  of  Rq  with  ©  as  lowest  upper  and  ®  as  greatest  lower  bound  operators. 
Furthermore,  from  the  above  we  know  that  this  interval  sublattice  forms  a  reflexive  lattice 
with  flow  relation  and  bound  order  <  . 

Definition  15  Define  a  mapping  from  arbitrary  reflexive  relation  R  to  this  sublattice 
of  Rq  as 

/£:«*-*  «Rc  /*(«)  =  {fc(o),  !$(«)} 

where 

fR(a)  =  {6|6  <  a}  h»R(a)  =  {b\b&  a) 

O 

Each  component  of  R  will  be  mapped  to  an  interval  of  V  aR,  since  bound  is  a  stronger 
condition  than  flow,  i.e,,  a  <  b  =>  a  b,  implying  that  F  (a)  C  IF  (a),  and  f^{a)  is 
an  interval  of  VaR,  with  bottom  F  (a)  and  top  IF  (a)  Thus  f*  is  a  mapping  from  R  to  a 
reflexive  lattice.  The  mapping  f*  preserves  the  flows  of  R,  i.e., 

Va,  b  e  aR  •  a  >6  b  f  (a)  &  f  (6) 

Thus  we  can  use  f*  (o)  in  Rq  for  any  class  a  drawn  from  R  with  no  detrimental  effect  on 
flows. 

Since  Rq  has  been  built  from  a  powerset  lattice  then,  like  the  Birkoff  transformation,  it 
interval  sublattice  may  contain  extra  upper  bounds.  For  example,  consider  the  flow  policy 
in  figure  3  (page  34),  a,b  and  c  from  R  would  be  mapped  to  {{a}},  {{b}}  and  {{a,b}} 
respectively  in  Rq.  The  lowest  upper  bound  of  a  and  b  in  R  is  c,  but  in  Rq  it  is  {{a,b}}, 
reflecting  the  fact  that  information  of  class  a  and  b  have  been  combined.  Refer  back  to 
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section  4.1.1  for  the  pros  and  cons  and  this  effect.  Like  the  Birkoff  transformation,  has 
the  property, 


VA,  B  C  aR  •  A  \  B  =>  (©  {fR(a)\a  G  >1})  \  (®  {/£(6)|fc  €  2?}) 

but  need  a  transformation  based  on  symmetric  powerset  lattices  to  achieve  a  similar  property 
for  greatest  lower  bounds. 

Thus  we  have  a  transformation  from  an  arbitrary  reflexive  policy  R  to  a  reflexive  sub¬ 
lattice  of  Rg  that  preserves  the  flows  of  R  and  provides  consistent  treatment  of  upper  and 
lower  bounds. 

Enforcing  a  Reflexive  Policy  in  GCFM 

Given  a  reflexive  flow  policy,  the  intention  behind  confining  an  entity  £  to  a  confinement 
group  A  of  classes  drawn  from  the  policy,  is  that 

1.  E  is  permitted  to  source  information  to  any  class  s  iff  there  exists  an  a  6  A  such  that 

R 

a  s. 

2.  E  is  permitted  to  sink  information  from  any  class  s  iff  there  exists  an  a  G  A  such  that 

R 

Consider  condition  1.  above.  This  can  be  written  in  terms  of  Rg  based  on  the  mapping  f’ 
as:  E  is  permitted  to  source  information  to  any  class  S  G  aRg  iff 

3aeA»f(a)%(S 
3a  G  A  •  3z  G  f  (a),  s  €  S  •  x  C  s 
■O  3i  G  (a)|a  Gjl}*iCi 

If  we  consider  only  singleton  sets  S  =  {s}  drawn  from  Rg  we  get  the  condition 

1.  E  is  permitted  to  source  information  to  any  class  s  G  VaR  (the  powerset  lattice 
policy  that  drives  Rg)  iff  there  exists  an  a  6  U{/P(a)|a  G  A}  such  that  a  C  s 

We  can  6imliarly  re-define  item  2.  above  using  the  same  reasoning  to  give 

2.  E  is  permitted  to  sink  information  from  any  class  s  G  V  aR  iff  there  exists  an  a  G 
U{/P(a)|a  G  A}  such  that  s  C  a. 
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We  now  have  a  reformulation  of  what  me  mean  by  group  confinement  for  reflexive  policies 
in  terms  of  a  (transformed)  group  confinement  based  on  classes  drawn  from  a  lattice  flow 
policy.  Thus  we  can  enforce  reflexive  flow  policies  withing  the  existing  structure  of  the 
GCFM. 

Example  13  A  private  hospital  information  system  processes  information  of  class  records 
(medical  history);  treatment  (given  to  patients);  accounts  (for  patients);  director  (share¬ 
holder  information);  and  management.  How  information  may  flow  between  these  different 
classes  is  described  by  the  reflexive  relation  in  figure  1.  Note  how  treatment  information  is 


records  director 


Figure  6:  Flow  policy  HOSPITAL 


X 

/(*) 

records 

{{t,r},{t,m,r}} 

director 

{{d,a},{d,m,a}} 

management 

{{m},{t,m,a}} 

treatment 

{{t}} 

accounts 

{{*}} 

Table  3:  Mapping  from  HOSPITAL  to  Rg 

allowed  flow  to  records  or  management,  but  for  confidentiality  reasons,  cannot  flow  to  class 
director.  Similarly,  accounts  information  is  not  allowed  flow  to  records  (for  profitability 
reasons).  Management  is  allowed  coordinate  all  this  information  given  these  constraints. 
This  reflexive  relation  can  be  transformed  into  the  reflexive  lattice  Rg  using  the  mapping 
described  in  table  3.  Observe  from  this  table  that  if  information  of  class  treatment  and 
accounts  are  combined  then  their  lowest  upper  bound  in  Rg  is  not  /(management),  but 
{{t,a}},  which  may  flow  to  class  management,  but  not  to  records  nor  director. 
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A  consultant  in  this  hosptial  might  be  allowed  sink  and/or  source  information  of  class 
treatment  and  records,  and  thus  is  confined  to  the  group  {treatment,  records}.  In  the 
GCFM  this  corresponds  to  a  binding 

/(treatment)  U /(records)  =  {{t),{r),{tmr}} 

=  {{t}*{r),{tm},{tr},{rm),{tmr}} 

The  hospital  administrator  might  be  bound  to  {management},  which  from  table  1  corre¬ 
sponds  to  {{m},  {tma}}.  Note  how  the  consultant  and  administrator  are  bound  to  groups  of 
classes  from  the  lattice  TaHOSPITAL  which  is  enforced  by  GCFM.  These  classes  represent 
the  sources/sinks  that  they  are  permitted  to  make.  For  example,  class  {ma}  means  that 
the  administrator  can  sink  management  and  accounting  information;  the  administrator  can 
also  source  records  information  since  {m}  C  {tmr}  is  also  in  his  confinement.  Note  that  in 
the  case  of  the  mac  model  described  earlier,  it  is  not  allowed  (and  correctly  so)  do  both: 
as  soon  as  the  administrator  accesses  accounts  information,  his  confinement  must  change 
to  {{ma},  {tma}}  to  ensure  a  secure  state.  Now  it  is  no  longer  possible  to  source  to  records, 
since  the  administrator  possesses  accounts  information  which  he  has  the  ability  to  source, 
and  accounts  records  is  invalid.  Similarly,  if  the  administrator  initally  sourced  to 
records,  he  could  no  longer  sink  accounts.  We  shall  see  further  examples  of  these  kinds  of 
aggregate  policies  in  the  next  section.  A 

Thus,  an  arbitrary  reflexive  flow  policy  can  be  transformed  and  enforced  by  the  GCFM. 
If  the  policy  is  transitive,  then  each  component  a  of  the  policy  a R  will  map  to  a  singleton 
set  {/(a)}  in  Rq,  since  1(a)  =  h(a).  If  the  policy  is  not  transitive,  then  certain  components 
of  aR  will  map  to  a  group  of  classes  from  VaR  (in  fact  an  interval,  since  1(a)  C  h(a)). 
The  mapping  f*  from  R  to  Rq  applies  to  the  abstract  model  GCFM.  If  we  are  to  use 
a  reflexive  policy  in  the  SMM,  we  must  ensure  that  the  resulting  confinements  are  valid 
(i.e.,  v()  holds).  When  a  single  class  a  G  aR  is  mapped  to  f3  (a),  since  f3  (a)  forms  an 
interval  then  V(/p  (a))  holds.  The  map  of  a  group  of  classes  A  €  V  aR  may  not  form  a 
valid  confinement  for  SMM.  In  this  case,  a  lowest  bound  /  =A  {±yr>  („)  |a  6  A}  should  be 
added  so  that  V({-l-/»,{o)  I®  €  A]  U  {/})  holds. 
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5  Chinese  Wall  Security  Policies 


The  group  confinement  model  can  be  used  to  formulate  (and  enforce)  Chinese  Wall  security 
policies[5j.  It  has  been  pointed  out  that  a  Chinese  wall  is  a  form  of  aggregation  policy,  where 
users  are  allowed  access  to  individual  datasets  but  not  to  aggregates  of  conflicting  datasets. 
We  will  show,  using  a  number  of  examples,  how  aggregation  policies  similar  to  those  in 
[5,12,15]  might  be  described  within  our  model. 

Example  14  Consider  a  market  analysis  database  that  contains  information  about  banks 
Bank-x  and  Bank-y,  and  oil  companies  Oil-z  and  Oil-w.  There  are  two  conflict  of  interest 
classes  BANKS  and  OIL.  Within  conflict  class  BANKS  there  are  two  kinds  of  information 
(datasets)  bank-x  and  bank-y,  corresponding  to  the  class  of  information  held  by  Bank-x 
and  Bank-y  respectively.  The  Chinese  wall  policy  insists  that  these  classes  are  disjoint,  i.e., 
information  about  one  bank  is  not  allowed  flow  to  another  bank.  Thus  the  conflict  of  interest 
class  BANKS  can  be  thought  of  as  describing  a  flow  policy  with  alphabet  {bank-x,  bank-y) 
and  relations  bank-x  bank-x,  bank-y  bank-y.  Conflict  policy  OIL  has  a  similar 
definition,  with  alphabet  {oil-2,  oil-w)  and  classes  oil-z  and  oil-w  disjoint. 

Now  we  must  define  how  these  two  policies  can  be  composed.  Flows  are  possible  between 
the  components  of  the  conflict  policies  so  long  as  they  do  not  violate  the  relations  within 
them.  Therefore,  the  overall  flow  policy  can  be  described  by  the  join[10]  of  BANKS  and  OIL. 
Policy  join  U  of  policies  Cl  and  C2  has  alphabet  (a Cl  U  aC2)  and  its  flow  relation  is 
defined  as  (a, 6  €  a(Cl  U  C2)), 

a  ^  b  =  (a,6GoCi  =>a^6)A 
(a,b  E  aC2  =>  b) 

Table  4  gives  the  mapping  of  this  policy  to  the  group  lattice  built  from  the  powerset  lattice 
V  {x,y,z,w},  where  bank-x  is  abbreviated  tox,  and  similarly  for  the  other  classes.  However, 
on  a  closer  inspection  of  policy  BANKS  LI  OIL  we  discover  that  it  is  too  general  for  our 
purposes  here:  it  (correctly  by  its  definition)  permits  flows  from  b&nk-x  to  oil-z  and 
from  bank-y  to  oil-z  and  also  from  bank-x  0  bank-y  to  oil-z,  which  is  not  desirable. 
Thus,  we  need  to  supplement  the  defintion  of  join  with  a  definition  of  how  the  aggregates 
of  classes  may  flow  in  the  joined  policy.  In  the  case  of  oil-z  we  wish  to  prevent  it  from 
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s 

/(«) 

bank-x 

bank-y 

oil-z 

oil-v 

{{x},{xzv}} 

{{z}» {xyz}} 
{{v},{xyv}} 

Table  4:  Mapping  for  BANKS  U  OIL 

sourcing/sinking  aggregate  bank-x  ®  bank-y.  Therefore  we  define  class  oil-z’  as6, 
oil-z*  =  /(oil-z)  -  (/(bank-x)  ©  /(bank-y)) 

=  {{*}.{«}.  {y*}} 

Note  how  xyz  is  no  longer  a  member  of  oil-z*.  The  other  classes  can  be  similarly  redefined 
so  as  to  constrain  flows  of  (conflicting)  aggregates, 

bank-x’  =  /(bank-x)  -  (/(oil-z)  ©  /( oil-v)) 
bank-y’  =  /(bank-y)  -  (/(oil-z)  ©  /( oil-v)) 
oil-v  ’  =  /(oil-v)  -  (/(bank-x)  © /(bank-y)) 

Now,  under  this  flow  policy  information  is  permited  to  flow  between  the  classes  of  differ¬ 
ent  conflict  policies.  For  example,  bank-x’  and  bank-y’  may  flow  to  oil-z’,  but  their 
aggregate  bank-x’  ©  bank-y’  may  not. 

Any  information  about  Bank-x  stored  in  the  database  will  have  group  confinement 
bank-x’;  information  about  Bank-y  will  have  confinement  bank-y*,  etc.  A  user  of  the 
database  will  be  confined  to  (bank-x’  U  bank-y’  U  oil-z’  U  oil-v’),  allowing  access  to 
every  individual  item  of  company  information  but  not  to  conflicting  aggregates. 

Consider  a  database  with  entries  X,  Y ,  Z  and  W  confined  as 

X_  =  bank-x  ’  Z.  =  oil-z  ’ 

K  =  bank-y’  W  =  oil-v* 

and  a  user  E  with  confinement  (bank-x’  U  bank-y’  U  oil-z’  U  oil-v’).  A  system  with 
flows  {X,  Z)  t>  U  is  secure  since 

_ £$£  ~  IL 

*Note  that  the  set  difference  operator  if  defined  on  the  largest  gronps  in  the  equivalence  classes  of  its 
operands. 
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{{*z}>  {*yztf>}  {{*}.  (y>-  {*)■.  {»}.  {«}.  {**},  {yz>-  {y»}} 

However,  a  system  with  flow  {X,Y}  >  U  is  not  secure  6ince 

2L  0  Y.  =  {{xy},  {*yz},  {xyv}} 

may  not  flow  to  U_  since  there  is  no  component  of  U_  that  contains  (xy).  A 

Although  our  example  only  considered  the  information  flow  in  terms  of  the  abstract 
relation  >  ,  it  applies  equally  to  the  MAC  state  based  example:  As  the  user  accesses  the 
database  entries,  his  confinement  will  change  to  reflect  the  information  he  possesses,  which, 
in  turn,  will  ensure  a  valid  Chinese  wall. 

Lin[12]  points  out  that  in  the  Brewer-Nash  model,  conflict  of  interest  satisfies  a  kind 
of  transitivity  property:  if  A  is  in  conflict  with  B,  and  B  in  conflict  with  C,  then  A  is 
(implicitly)  in  conflict  with  C.  The  GCFM  does  not  impose  this  type  of  restriction  as  will 
be  seen  in  the  next  example  taken  from  [12]. 

Example  15  A  (slightly  outdated)  database  holds  strategic  information  about  the  coun¬ 
tries:  USA,  UK  and  USSR.  Information  classes  usa  and  uk  are  disjoint  to  information  of 
class  ussr  (i.e.,  information  is  not  permitted  to  flow  between  them).  Thus  we  define  two 
conflict  of  interest  classes  Cl  and  C2,  with  alphabets 

aCl  =  {ussr,  usa}  aC2  =  {ussr,uk} 

and  no  relations  defined  on  them  except  reflexivity.  We  can  construct  Cl  LI  C2  using  the 
same  approach  as  in  the  last  example.  Remember  that  with  this  joined  policy,  all  relations 
are  valid  so  long  as  the  relations  of  the  original  policies  are  preserved.  This  will  yield  a 
mapping  from  classes  ussr,  usa  and  uk  to  confinement  groups  defined  as 

/(usa)  =  {{usa}, {usa,  uk}} 

/(uk)  =  {{uk},{usa,uk} 

/(ussr)  =  {{ussr}} 

In  this  policy,  information  may  flow  between  the  USA  and  UK,  but  always  remains  disjoint 
from  the  USSR.  A 

In  [15]  Meadows  considers  how  the  Brewer-Nash  Chinese  wall  can  be  extended  so  that  it 
can  handle  military  (multilevel)  aggregation  problems.  For  example,  (conflicting)  datasets 
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X 

/(*) 

/(a)  (usa) 
/(r)  (ussr) 
/( k)  (uk) 
/(») 

/(b) 

/( t) 

{  {a},  {akust}  } 

{  {r},  {rust}  } 

{  {k},  {akust}  } 

{  {u},  {akru}  } 

{  {s},  {akrus}  } 

{  {t},  {akrust}  } 

Table  5:  Flow  preserving  mapping  from  MILAGG 

A  and  B  might  be  unclassified  and  secret  repectively,  however  their  aggregate  is  not  secret, 
but  top-secret.  The  next  example  considers  how  such  a  policy  might  be  constructed  in 
terms  of  a  reflexive  flow  policy  and  group  confinements. 

Example  16  Consider  example  15,  and  suppose  we  wish  to  introduce  military-style  clas¬ 
sifications  for  the  different  kinds  of  information  (datasets)  in  the  system.  With  this  policy, 
information  of  kind  usa  and/or  uk  is  considered  unclassified;  information  of  kind  ussr  is 
secret;  information  formed  from  the  aggregation  of  ussr  and  uk  is  secret;  however,  the 
aggregation  of  ussr  and  usa  information  is  considered  top-secret  (an  ‘excepted  aggregate’). 
Thus  for  example,  a  secret  user  of  the  database  may  read  USSR  and  UK  entries,  but  may 
only  read  either  USSR  or  UK  entries.  A  top-secret  user  may  read  all  kinds  of  information. 
Note  that  all  these  flows  are  (implicitly)  constrained  by  the  flow  policy;  thus  while  the  top 
secret  user  may  initially  be  granted  complete  access  to  USA  and  USSR  files,  he  may  not 
copy  information  from  one  to  the  other. 

We  must  construct  a  flow  policy  which  defines  the  allowable  flows  between  the  different 
kinds  (classes)  of  information.  We  start  off  with  the  usual  partially  ordered  military  policy 
MILITARY  with  alphabet  {u,  s,t}  ,  where  u  denotes  class  secret;  s  denotes  secret,  and  t 
top-secret.  Given  policies  Cl  and  C2  from  example  15,  define  the  policy 

MILAGG  =  Cl  U  C2  U  MILITARY 

Table  5  gives  the  inital  mapping  /  from  MILAGG  to  its  group  policy  (a  abbreviates  usa;  k 
abbreviates  uk,  and  r  ussr).  As  with  the  last  two  examples  we  km  w  that  policy  join  is  too 
general  for  aggregation  puproses,  so  some  additional  constraints  need  to  be  placed  on  each 
class.  Each  dataset  is  constrained  to  a  single  security  class  from  MILITARY;  for  example, 
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datasets  usa  and  uk  are  unclassified.  Thus  we  have, 


a'  =  /(a)  n  /(u)  =  {{au},  {auk}} 
r*  =  /(r)n/(s)  =  {{rs},{ru8}} 
k'  =  /(k)  n  /(u)  =  {{ku},  {auk}} 

The  security  classes  from  MILITARY  are  sufficient  except  that  we  need  to  ensure  that  the 
aggregate  of  USA  and  USSR  information  is  not  secret,  but  top-secret.  This  yields 

»’  =  /(«)  -  (/(a)  ©  /(*))  =  {{•}»  {akus},  {rkus}} 

A  user  of  the  database  who  is  bound  to  secret  (i.e.,  s’),  can  access  any  individual  dataset, 
or  the  aggregate  of  USSR  and  UK.  However,  he  may  not  access  the  aggregate  of  USSR  and 
USA. 

Again  remember  that  these  bindings  can  be  used  in  the  state  based  model  described 
in  section  3.  In  the  case  of  the  secret  user,  as  soon  as  he  accesses  USSR  information,  he 
cannot  write  this  information  into  a  UK  or  USA  location  (preserve  flow  policy).  Having 
done  this,  he  cannot  access  any  USA  information  (chinese  wall).  However,  he  can  still  read 
UK  information,  since  its  aggregate  with  USSR  is  secret.  A 

These  last  three  examples  illustrate  some  of  the  versatility  of  describing  a  security  pol¬ 
icy  in  terms  of  a  reflexive  flow  policy  and  group  confinement.  We  believe  that  there  are 
many  more  interesting  policies  that  can  be  described  within  the  framework  of  the  GCFM. 
However,  it  is  not  initially  apparent  how  to  construct  the  different  policies  in  terms  of  re¬ 
flexive  policies  and  group  confinements.  For  example,  we  had  difficulty  trying  to  capture 
the  example  policy  described  in  [15]  and  for  the  sake  of  claxity  had  to  resort  to  the  simpler 
one  described  in  example  16.  We  have  a  policy  construction  operator  join  U  which  does 
not  quite  fit  our  requirements  for  composing  aggregate  policies.  Further  research  is  required 
to  define  additional,  more  useful,  policy  join  operators.  Ultimately,  we  envisage  a  flow  pol¬ 
icy  description  language,  which  can  succinctly  capture  the  flow  and  aggregation  rules  for 
a  mandatory  confidentiality  policy.  We  believe  that  group  policy  lattices  are  sufficiently 
flexible  to  provide  the  basis  for  the  semantics  of  such  a  language. 


49 


6  Security  Flavours 


The  group  confinement  model  provides  an  approach  to  modeling  confidentiality  require¬ 
ments  in  systems.  An  information  flow  policy  specifies  the  permitted  dissemination  of 
information  as  a  flow  relation  between  different  classes  (or  kinds)  of  information  that  can 
exist  in  the  system.  Entities  are  bound  to  confinement  groups,  which  provides  a  means  of 
controlling  the  movement  of  aggregate  information  through  the  system. 

6.1  Collective  Confidentiality 

A  different  interpretation  can  be  made  about  an  information  flow  policy.  Given  a  reflexive 
lattice  R ,  then  a  6  (a,b  €  aR)  could  be  taken  to  mean  that  information  at  class  a  is 
permitted  to  flow  to  the  collective  classes  fcj, . . . ,  6n,  where  b  =  6i  V  •  •  ■  V  6n.  This  is  not  to 
state  that  the  information  may  flow  from  a  to  the  individual  6,’s.  In  general,  we  say  that 
for  fli,  •  •  • , an,  &i, . . . , 6m  then  ai  A  •  •  •  A  an  b\  V  •  •  •  V  bm  means  that  information  at  the 
collective  classes  ai,...,a„  may  flow  to  the  collective  classes  61,.,.,6m.  We  call  a  policy 
with  such  an  interpretation  on  its  relation  a  collective  flow  policy. 

Example  17  A  system  contains  a  file  of  passwords  of  class  pass.  No  single  user  may 
arbitrarily  view  this  file,  however  a  system  manager  (class  s-mgr)  and  a  system  operator 
(class  s-op)  are  allowed  access  to  the  file  if  they  do  so  together  (collectively).  This  collective 
policy  is  described  by  the  reflexive  relation  in  figure  7.  In  this  policy,  information  is  not 


pass 


8-op 


s -mgr 


Figure  7:  Collective  flow  policy 

allowed  flow  from  class  pass  to  a  class  s-op,  or  from  pass  to  s-mgr.  However,  it  is  allowed 
flow  from  pass  to  a  combination  of  system  manager  and  operator,  i.e.,  pass  s-mgr  V 
s-op.  A 


If  entities  are  bound  to  classes  drawn  from  a  collective  policy  R,  then  a  system  enforces 
the  policy  R  if 

V£,  T  C  ENTS  •  €  >  T  =>  f\  E  'S  V  £  (13) 

This  requires  that  if  £  t>  T ,  then  the  entities  of  £  must  have  a  collective  classification  that 
may  flow  to  the  collective  classification  of  the  entities  of  T.  Note  that  a  similar  requirement 
can  be  given  for  group  confinements,  where  each  entity  is  bound  to  a  set  of  classes  from  the 
collective  policy. 

Example  18  Continuing  with  example  17,  a  password  file,  and  users  Jones  and  Smith 
have  bindings 

Pfile  =  pass  Jones  =  s-op  Smith  =  s-mgr 

A  system  with  only  the  flow  Pfile  t>  Jones  is  not  secure  by  requirement  (13).  However,  a 
system  with  the  flow  Pfile  >  {Jones,  Smith }  is  secure,  since  Pfile  Smith  V  Jones  A 

Example  18  shows  that  an  n-person  (flow)  rule  can  be  specified  in  terms  of  a  collective 
flow  policy.  The  policy  transform  from  section  4.1  implies  that  an  n-person  rule  can  be 
described  in  terms  of  a  lattice,  and  enforced  using  its  relations  and  operations.  However, 
since  the  security  requirement  for  collective  policies  is  different  to  that  for  flow  policies,  a 
collective  policy  cannot  be  directly  supported  within  the  framework  of  existing  flow  models. 
Thus  for  example,  the  mac  model  proposed  in  section  3  could  not,  in  its  present  form, 
enforce  a  collective  policy.  Further  research  is  needed  to  determine  how  the  mac  model  can 
be  modified  so  that  it  can  enforce  these  policies. 

6.2  Integrity 

A  well  known  interpretation  for  a  reflexive  lattice  is  an  integrity  policy[3).  An  integrity 
policy  describes  a  set  of  clearances  and  a  relation  between  these  clearances  that  defines 
their  relative  superiority.  If  R  is  a  reflexive  lattice  describing  an  integrity  policy  then  for 
o,  6  €  aR ,  if  a  b  the  clearance  b  is  higher  or  superior  to,  the  clearance  of  a.  If  the  relation 
A  t>  B  is  interpreted  as  entity  A  can,  in  some  way,  affect  the  integrity  of  entity  B,  then  if 
A  >  B,  A  must  have  a  higher  clearance  than  B.  Thus  for  A,B  €  ENTS, 

A  t>  B  =>  B.  A 
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where  the  clearance  of  entity  E  is  denoted  £.  If  entities  are  bound  to  a  group  of  clear¬ 
ances,  with  an  interpretation  similar  to  that  of  group  confinement  for  flows,  then  aggregate 
clearances  must  be  considered.  The  aggregate  integrity  requirement 

V£,ZC  ENTS  •£>?*>£#%  Z®  (14) 

states  that  the  entities  in  £  must  have  sufficient  common  clearances  to  affect  the  integrity 
of  the  entities  in  T . 

Example  19  The  company  in  example  6  might  have  an  integrity  policy  described  by  the 
powerset  lattice  of  categories  {acc, pars,  sale).  An  employee  with  an  integrity  confine¬ 
ment  of  {{acc}{sale}{pers}}  is  permitted  to  change  the  phone  numbers  of  any  single 
department,  but  not  the  numbers  of  different  departments.  An  employee  with  integrity 
{{acc,pers,  sale}}  is  allowed  change  the  numbers  of  all  departments  (assuming  his/her 
confidentiality  confinement  allows  such  access).  A 

6.3  Collective  Integrity 

An  integrity  policy  can  also  be  interpreted  as  a  collective  integrity  policy.  Such  a  policy 
describes  what  collective  clearances  are  sufficient  to  allow  the  integrity  of  an  entity  to  be 
changed.  The  collective  integrity  policy  requirement  follows  from  (13)  and  (14)  above,  and 
is 

V£,.FC  ENTS  •£>?=>  £#  (15) 

Example  20  An  integrity  policy  (figure  8)  describes  the  relationship  between  the  security 
clearances:  cheques  (cheque);  company  secretary  (sec),  and  managing  director  (md).  The 

cheque 


Figure  8:  Collective  flow  policy 

company  secretary  and  managing  director  do  not,  individually,  have  sufficient  clearance  to 
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write  a  cheque.  However,  their  collective  clearance  can  write  a  cheque.  The  company  acoun- 
tant  may  also  be  allowed  write  a  cheque  so  long  as  he/she  does  so  with  the  secretrary  or  the 
managing  director.  We  do  not  want  a  commitment  on  the  clearance  for  the  accountant,  and 
thus  confine  him/her  to  {sec  ,ad},  providing  the  necessary  aggregation  control.  Note  that 
this  clearance  contains  an  assumption  that  if  there  are  two  accountants  in  the  company, 
then  they  are  trusted  to  write  cheques  jointly  (but  cannot  write  them  individually).  A 

6.4  Controlled  Violations 

The  notion  of  memoryless  entities  (section  3.5)  together  with  reflexive  flow  policies  provide 
an  effective  approach  to  controlled  flow  violations.  Consider  the  private  hospital  from 
example  13  (page  43).  Treatment  information  is  not  allowed  flow  to  directors.  A  yearly 
report  on  treatment  statistics  might  be  required  by  directors,  however  the  flow  policy  will 
not  permit  it.  Introduce  a  new  information  class  t-stat  to  the  policy  such  that  it  is  disjoint 
to  all  other  classes  except  for  the  flows  treatmment  t-stat  and  t-stat  director. 
This  revised  policy  continues  to  ensure  treatment  director.  Develop  a  (trojan  free) 
process  that  scans  treatment  information  and  generates  a  statistical  report.  If  we  use 
statistical  inference  techniques  to  ensure  that  the  report  does  not  reveal  anything  anything 
about  individual  patients,  then  the  reporting  entity  (the  report  process)  can  be  regarded  as 
memoryless,  and  confined  to  class  {t-stat}.  Now  the  only  information  that  can  flow  from 
treatment  to  directory  is  treatment  statistics7. 

Carefull  use  of  this  technique  can  provide  an  approach  to  typing  information  flow — the 
only  information  that  can  flow  from  class  a  to  class  b  is  information  of  class  c.  Of  course, 
the  validity  of  the  technique  rests  with  the  ability  to  provide  sufficient  assurance  that  the 
entities  confined  to  class  c  can  be  trusted  to  handle  the  information  appropriately.  The 
technique  can  also  be  used  for  integrity  policies,  and  provides  a  method  for  ensuring  that 
the  integrity  of  an  entity  can  be  changed  only  by  invoking  a  certain  class  of  procedure.  These 
procedures  are  trusted  in  the  sense  that  they  will  alter  the  entity’s  integrity  appropriately. 

’assuming  that  all  entities  bound  to  class  t-stat  are  appropriate  statistical  processes. 
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7  Conclusion 


This  report  proposes  a  new  approach  to  describing  controls  on  the  dissemination  of  infor¬ 
mation  in  system.  The  approach  is  driven  by  a  flow  policy  that  describes  the  allowable 
flows  between  different  classes  (or  kinds)  of  information  that  can  exist  in  a  system,  and 
each  system  entity  is  bound  to  a  group  of  these  classes.  Unlike  traditional  binding,  group 
confinement  provides  control  on  the  movement  of  aggregate  information  flowing  into  and 
out  of  an  entity. 

The  report  provides  evidence  (via  examples)  that  useful  non-transitive  flow  policies  do 
exist,  and  thus  we  call  for  a  basic  requirement  that  .  flow  relation  can  be  any  reflexive 
relation  on  a  set  of  classes.  We  know  from  section  4  that  such  a  relation  can  be  transformed 
into  a  reflexive  lattice,  which  in  turn  is  defined  in  terms  of  lattice  operations,  thus  facilitating 
its  implementation.  With  this  combination  of  reflexive  flow  policies  and  confinement  groups 
complex  policies  can  be  described.  To  illustrate  this,  a  selection  of  Chinese  wall  policies  were 
described. 

Section  3  detailed  how  group  confinement  could  be  refined  to  a  state  based  security 
model.  The  resulting  model  is  not  at  all  unlike  existing  state  based  models.  Entities 
are  bound  to  components  from  a  flow  policy  (the  group  confinement  policy),  a  inductive 
notion  of  secure  state  and  secure  transition  can  be  captured  and  indeed  a  system  could 
be  built  around  a  reference  monitor  if  desired.  As  a  first  attempt  at  refining  the  GCFM, 
section  3  proposed  a  simple  (yet  effective)  state  based  model.  For  the  future  we  intend  to 
develop  more  complex  model  refinements,  hopefully  culminating  in  a  refinement  that  will 
be  analogous  to  the  Terry  Wisemann  security  model  in  [16]  enforcing  group  confinement. 

Section  6  briefly  considers  how  reflexive  lattices  can  be  used  to  specify  properties  other 
than  confinement.  The  most  obvious  applications  of  reflexive  lattices  are  confidentiality  and 
integrity  policies.  The  notion  of  a  collective  policy  was  introduced,  where  a  reflexive  lattice 
describes  how  collections  of  different  classes  of  information  may  flow.  Further  work  needs 
to  be  done  to  determine  how  collective  policies  can  be  enforced  by  state  based  models. 

To  conclude,  this  report  has  shown  that  it  is  possible  to  describe  useful  confidentiality, 
integrity,  separation  of  duty,  and  aggregation,  based  policies  in  terms  of  lattices. 
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A  Theorems  and  Lemmas 


A.l  Group  Confinement  Model 

Lemma  1  The  bound  order  relation  (definition  3)  can  also  be  defined  as:  for  groups  A,B  £ 

aLc, 

A  <  B  (Va  £A»3b£B»a  <  b)  A 
(V6  6  B  •  3a  £  A  •  a  <  6) 

PROOF  I  By  definition  we  have, 


A  <  B  =>  VAT  £  qLq  •X'^*A=>X'^B 

Pick  singleton  set  Af’s  from  above,  drawn  from  the  set  A,  this  gives, 

A  <  B  =>  Vx  €  A  •  {x}  A  =>  {x}  ^  R 

But  {x}  i4  always  holds  since  x  £  A.  Thus, 

A  <  B  =>  Vx  6  .4  •  {x}  B 

=>  Va£A»3b£B»a<b 


Similarly, 


A  <  B  =>VX  £aLc»B'~  X  =>  A^  X 


and  picking  singleton  Af’s  drawn  from  B  gives, 


A  <  B  =>  Vx  £  B  •  B  {x}  =>•  A  {x} 
Vb£B»3a£A»a<b 


combining  (16)  and  (17)  gives 


A  <  B  =►  Va€4*3&€R»a<6A 
V6eR*3a€4*a  <  b 


(16) 


(17) 


PROOF  II  We  have  by  definition,  for  A,B,X  £  aLg 

B  X  3b  £  B,x  £  X  •  b  <  x 
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but  if  (Va  GA«  36  G.B*fl  <  6)  holds,  then  there  is  an  a  such  that  a  <  b.  and  by 
transitivity  a  <  x.  Thus, 

(Va  €  A  •  3b  G  B  •  a  <  6)  =»  VX  •  B  X  =>  A  X  (18) 

and  similarly  we  can  show, 

(Vb  €B»3a£A»a  <  b)=*VX»X~A=i>X~B  (19) 

and  combining  (18)  and  (19)  gives 

(Va  GA«  36  Gi?«a  <  b) 

A  (Y6  £B»3a£A»a<b)  =>  A  <  B 

□ 


Lemma  2  Equality  (definition  6)  forms  an  equivalence  relation  over  Lg. 

PROOF  The  reflexivity  and  symmetry  of  equality  follows  from  its  definition.  Transitivity: 
the  definition  of  equality  implies  that 

A  —  B  =>  Va  £  A  •  B  covers  a 

=>  Va  £  A  •  36i,62  €  B  •  bj  <  aAa  <  b2  (20) 


Similarly, 

B  =  C=>Vb£B  t  :j,c2  €  C  •  Cj  <  6  A  6  <  c2  (21) 

Combining  (20)  and  (21)  gives 

A  =  BAB  =  C=$Va£  A*36i  ,b2  £  B,c\,c  2  G  C* 

61  <  a  A  a  <  b2  A  cx  <  6j 
A61  <  C2  A  C3  <  62  A  62  ^  C4 

Transitivity  of  bound  order  implies  that 


A  =  B  h  B  =  C  =>  Va  G  A  •  3cj ,  C4  G  C  •  ci ,  C4  covers  a 
^  Va  G  A  •  C  covers  a 


We  can  similarly  show  that 


(22) 


A  =  RaJ9  =  C=>VcGC#A  covers  c 


(23) 
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Combining  (22)  with  (23)  gives, 


A  =  BaB  =  C=$A  =  C 

i.e.,  equality  is  transitive.  □ 

Lemma  3  Equality  preserves  the  group  flow  relation  of  Lg,  i.e., 

VA,B,X  eaLc*A~  B  A  A  =  X  =>  X  B 

PROOF  The  definition  of  equality  gives 

i4  =  A’=>Va64«3i6A'*a  <  x  (24) 

The  definition  of  the  group  flow  relation  gives,  for  A,B  €  &Lg, 

A  B  =>  3a  €  A,b  €  B  •  a  b  (25) 

However,  equation  (24)  implies  that  for  a  6  A  in  equation  (25),  there  exists  an  x  €  X  such 

that  x  <  b,  thus 

A  =  X  A  A  ^  B  3 x  £  X,b  £  B  •  x  <  b 

X~B 

We  can  similarly  show  that 

A~~*BAB  =  X=>A'^X 

□ 


Lemma  4  Equality  preserves  upper  aggregate,  i.e., 

'1X,Y,AtaLg*X  =  Y  =>  A®X  =  A®Y 
PROOF  The  definition  of  equality  gives,  for  X,Y  6  aLg, 

X  =  Y^Vx£X»3y£Y»x  <  y 
Since  L  forms  a  lattice,  then  for  any  a  6  aR 

x  <  y  =»  x  V  a  <  y  V  a 
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Thus  for  an  arbitrary  A  G  aLg , 

X  =  Y  =>■  Va  €  A,x  6  X  •  3y  G  Y  •  *  V  a  <  y  V  a  (26) 

But  given  that  A  ©  B  =  {a  V  6|a  G  A,b  G  R},  equation  (26)  can  be  written  as 

X  =  Y=>Vx€A®X*3yeA®Y»x  <  y  (27) 

We  can  similarly  show  that 

X  =  Y  =>  Vx  €  X  *3y  6Y  *y  <  x 

=»  VxeA®B»3yeA®Y»y<x  (28) 

Equations  (27)  and  (28)  give 

X=-Y=>'ix£A(&X*A®Y  covers  x 
and  we  can  similarly  derive  from  X  =  Y  that, 

X  =  y=>Vy6i4©V«^4®X  covers  y 

and  thus  X  =  Y  implies  that  .4  ©  X  =  .A  ©  Y  □ 

Note  that  the  proof  that  equality  preserves  the  lower  aggregate  is  identical  in  approach 
to  lemma  4,  and  is  not  given  here. 

Lemma  5  Union  of  confinement  groups  is  closed  over  equivalence  classes,  i.e.  for  X,Y  G 
olLq 

X  =  Y  =>  XUY  =  Y 

PROOF  From  the  definition  of  equality  we  have 

X  =  Y  =>  Va:  G  ^  •  Y  covers  x 
Y  =  Y  =>  Vy  G  Y  •  Y  covers  y 

combining  these  give, 

Vx  G  X  U  Y  •  Y  covers  x  (29) 

If  X  cowers  y  (X  G  olLq,v  G  acL)  then  for  any  A  G  aLg,  X  U  A  covers  y  also  holds.  Thus 

X  =  Y  =>VyGY»A'UY  covers  y  (30) 

and  combining  (29)  and  (30)  gives  X  U  Y  =  Y  □ 
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Lemma  6  Intersection  of  confinement  groups  is  closed  over  equivalence  classes,  i.e.  for 
X,Y  £  clLq 

x  =  y  =*>  xr\Y  =  y 

PROOF  We  have, 

X  =  Y  =>  Vy  G  Y  •  X  covers  y  (31) 

X  =  Y  =►  Vz  G  X»Y  covers  x  (32) 

Combining  equation  (31)  with  the  fact  that 

Y  =  Y  =►  Vy  GV  »Y  covers  y 


gives 


X  =  y  =»VyG-Vny»y  covers  y 
Now,  for  any  y  EY,  equation  (32)  gives 


X  =  y  =>  3xq  €  X  »y  <  xq 


(33) 


Applying  equation  (31)  to  A0  defined  above,  gives 

X  =  Y  =>  3x0  £  X,y0  eY  •  y  <  x0Ax0  <  y0 
Repeatedly  applying  equations  (31)  and  (32)  gives  and  equation  of  the  form  ( n  >  0) 

X  —  1  3z0,  •  •  •  i  %n  £  X ,  yo,  •  •  •  i  y«  €  y 

•y  <  x0  A  xo  <  yo  A  yo  <  X\  A  . . .  A  xn  <  y„  (34) 

If  n  <  \Y\,  then  there  exists  in  (34)  above,  components  yh,Vk  ( h  <  k )  such  that  y/,  =  y*. 

Equation  (34)  above,  implies  that  there  exists  an  z  G  X  such  that  y/,  <  z  <  y*.  Since 
<  is  a  partial  order  we  have  y*  =  z.  Therefore  we  can  state  that 

X  =  Y  =>  Vy  G  y  •  3x  G  -V,  y'  EY  •  y  <  x  A  x  =  y' 

=>  VyGy*3zGXny»y  <  z  (35) 

We  can  similarly  show  that 

x  —  y  3zo,...,zn  g  €  y 

•x0  <  y  A  yq  <  zo  A  zi  <  yo  A  . . .  A  yn  <  zn 
=>  VyGy^BzGA’nysz  <  y  (36) 


60 


Equations  (35)  and  (36)  gives 


X  =  Y  =>Vy€Y*XnY  covers  y 

which  when  combined  with  (33)  gives  X  =  Y  ^  X  f)Y  =  Y. 

Lemma  7  Equality  preserves  the  flow  relation  defined  on  confinement  groups, 
A,B,X  € 

A  ^  B  A  A  =  X  =>  X  f? 

PROOF  We  have  by  definition 

A  —  X  =>  VaeA»3x£X»x<  a 
A~^>  B  =>  3a£A,b£B»a<b 

by  transitivity,  we  have  x<aAa<b=>x<b,  thus 

A  —  X  A  A  ^  B  =»  3x  €  Xshtx  <  b 
=>  X  ~  B 

Lemma  8  The  relation  <  forms  a  partial  order  over  the  group  policy  Lq. 
PROOF  Reflexivity  follows  from  the  definition  of  the  relation. 

Antisymmetry:  Given  A,B  6  aLg,  then  we  have 

A  <  B  A  B  <  A  =>  V6  €  B  •  3ai,a2  €  A  •  aj  <  bAb  <  ai  A 

Va  €  A  •  36i ,  62  G  B  •  b\  <  a  A  a  <  62 
^  V6  6  B  •  A  covers  b  A 
Va  €  A  •  B  covers  a 
=>  A  =  B 

Transitivity:  Given  A,B,C  €  cxLq,  we  have 

A  <  B  A  B  <  C  =>  Vb€B»3a£A»a<bA 

Va  €/!•  36  €i?»a  <  b  A 
Vc€C*36€.B»6  <  c  A 
V6€P*3cGC«6  <  c 


□ 

i.e.  for 


□ 


(37) 

(38) 

(39) 

(40) 
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Combining  (37)  with  (39)  and  (38)  with  (40),  transitivity  gives 

A  <  B  A  B  <  C  =>  Vc£C»3a£A»a<cA 

Va€X*3c€C«a  <  c 
=>  A  <  C 

□ 

Lemma  9  The  equality  relation  preserves  ordering  on  confinement  groups,  i.e.  for  A ,  B,  X  £ 
aLo, 

A  <  B  A  A  =  X  =>  X  <  B 
PROOF  We  have  by  definition 

A  —  X  =>  Va6y4»3x€X»x<a 
A  <  B  =>•  V&€R*3a€.4«a<6 

Combining  these  and  noting  the  transitivity  of  bound  order  gives, 

A  —  X  A  A  <  B  ^'ib  £  B  ^3x  £  X  •  x  <  B  (41) 

Similarly,  we  have 

A  =  X  =>  Vx£X»3a£A»x<  a 
A  <  B  =>  Va£A»3b£B9a<b 

which  implies 

A  =  X  A  A  <  B=>Vx£X*3b€B*x  <  b  (42) 

Combining  (41)  and  (42)  gives 

A  =  XaA  <  B  =>  X  <  B 

□ 

Lemma  10  Given  partial  ordering  <  on  ip,  the  upper  aggregate  operator  gives  an  upper 
bound  on  its  operands,  i.e.  for  A,B  £  aLg  then  A  <  A  ©  B  and  B  <  A®  B 
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PROOF  Reflexivity  implies  that 


A®B  <  A®  B  (43) 

=►  Vz£A®B»3y£A®B»x<y 
=►  Va  e  A,be  B  »3y  e  A®  B  »aV  b  <  y 
=>  Va£A»3y£A®B»aVb<y  (44) 

(since  a  V  6  <  y  implies  a  <  y).  Similarly, 

A  ®  B  <  A®  B  (45) 

=>  Vy  €  A  ©  B  •  3a  €  A,b  €  B  •  a  V  6  <  y 
=>  VyG^4©R«3aGv4»a  <  y  (46) 

Combining  (44)  and  (46)  gives  A  <  A®  B.  We  can  similarly  show  that  B  <  A  ©  B  also 
holds.  □ 


The  proof  that  the  lower  aggregate  operator  gives  a  lower  bound  on  its  operands  (under 
the  ordering  relation  <  )  is  identical  in  approach  to  lemma  10  above,  and  is  not  given  here. 


Lemma  11  The  aggregation  operators  ©  and  ®  are  associative. 

PROOF  Follows,  since  the  upper  and  lower  bounds  operators  defined  on  the  base  lattice 
L  are  associative,  i.e.,  for  A,B  €  olLq , 


(A®  B)®C 


{a:  V  c|(z  G  A  ©  B)  A  c  €  C) 

{(a  V  b)  V  c|a  €  A  A  6  G  B  A  c  €  C) 
{a  V  {b  V  c)ja  G4A4GBACGC} 
{a  V  x|a  G  A  Ax  G  (B  V  C)} 

A  ®  (B  ®  C) 


and  similarly  for  the  lower  aggregate  operator. 


□ 


Lemma  12  If  a  confinement  group  policy  is  constructed  from  a  distributive  lattice  then 
the  aggregate  operators  are  distributive,  i.e.,  for  A,B,C  G  Lq,  then 

A  ©  (B  ®  C)  =  (A  ©  B)  ®  (A  ®  C) 
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PROOF  We  have  by  definition  and  the  distributivity  of  L, 


A®(B®C) 


A®  {b  A  c\b  £  B  Ac  £  C} 

{a  V  (6  A  c)|a  £  AAb£  B  Ac£C} 

{(a  V  b)  A  (a  V  c\a  £  A  A  b  £  B  A  c  £  C} 
{x  A  y\x  £  {A  ®  B)  A  y  £  {A  ©  C)} 

{A  ©  B)  0  (A  ®  C) 


It  follows  that 


A  ®  (B  ©  C)  =  (A  ®  B)  ®  (A  ®  C) 


also  holds.  Note  that  if  our  base  lattice  L  is  not  distributive  then  Lg  is  not  distributive.  □ 


Lemma  13  Given  confinement  groups  A,B  £  aLg  then, 


VD»(A  <  DAB  <  D)=>  A®  B~  D 


PROOF  We  have  by  definition  of  < 


A  <  D  A  B  <  D  => 


Vd  £  D  »3a  £  A,b  £  B  •  a  <  dAb  <  d 
Vd  £  D  •  3a  £  A,b  £  B  •  a  V  b  <  d 
Vd£D»3x£A®B»x  <  d 
A  ©  B  D 


□ 


Lemma  14  Given  confinement  groups  A,B  £  aLg  then, 

VLU(/1  <  DAB  <  D)=>3XCA®B»A  <  X  A  B  <  X  AX  <  D 
PROOF  Define  X  above  as 

X  =  {z  e  A  ®  B\3d  £  D  •  x  <  <f} 

It  follows  from  its  definition  that 

Vx  6  X*3d  £  D'x  <  d  (47) 
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Since  D  is  an  upper  bound  on  A  and  B  then, 

VdeD*3aeA,beB*aVb  <  b 
=>  Vd£D»3x£A(BB»x<d 

Thus  for  any  d  £  D,  we  have  an  x  €  A  ©  B  with  x  <  d,  and  therefore  x  is  also  a  member 
of  X  defined  above.  Thus, 

Vrf  6  D3x  £  X  •  x  <  d  (48) 

Combining  equations  (47)  and  (48)  give*  X  <  D.  Next,  from  the  definition  of  X  we  have, 

'ix  £  X  •  3a  £  A,b  £  B  •  a  V  b  =  x  (49) 

=>  Vx£X»3a£A»a<x 

Since  A  <  D  then, 

Va€v4*3deD*a  <  d  (50) 

and  since  B  <  D  we  have 

Vde  D»3be  B*b  <  d  (51) 

combining  (50)  and  (51)  gives 

Va£A»3d£D,b£B*a  <  dAb  <  d 
=>  Va  £  A  *3b  £  B  *3d  £  D  •  a  <  a  V  b  A  a  V  b  <  d 

and  since  X  contains  a  V  b  (a  €  A,b  £  B)  such  that  a  V  6  <  d  (for  some  d  £  D),  we  can 

write 

<  X 

combining  this  with  (50)  above  gives  A  <  X,  and  we  similarly  have  B  <  X,  and  the 
lemma  is  proven.  □ 

A.2  State  Machine  Model  SMM 

Lemma  15  Given  confinement  groups  A,  B  and  C,  each  constrained  so  that  vM),  V(#) 
and  v(C)  holds,  then 

C'^>A($B<$C'^>AaC'^*B 
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PROOF  I  We  have 


C  A  0  R  =>  3c  E  C,a  E  A,b  E  B  •  c  <  a  A  b 

=►  3c€C,a€/4,&€R»c<aAc<& 
=>  C  .4  A  C  R 


PROOF  II  We  have 

C  j4  A  C  ^  R  =>  3c,  c*  6  C,  a  €  A,b  £  B  •  c  <  a  Ac1  <  6 

but  because  v(^)  holds,  we  have  ±c  <  a  and  Xc  <  b.  Thus 

C  A  A  C  B  =>  3c  C  C,  q.  £  A,b  £  B  *  c  <  a  V  b 
=>  C  .4  0  R 

Note  that 

A0£~,C^4~*Ca5~*C 

does  not  necessarily  hold  (in  fact,  for  this  to  hold,  C  must  contain  a  component  that  forms 
an  upper  bound  on  every  element  of  C ).  □ 

Lemma  10  v()  is  closed  over  ©  and  0,  i.e.,  for  groups  A  and  R, 

vM)av(£)  =>  vM©£) 

=>  V{A  0  R) 


PROOF 


V(A)AV(£)  =>  X/tVlBG^aR 
=>  VM  ©  R) 

=>  X/iAlgG  ^4  0  R 

=>  v(4  0  R) 

□ 


Lemma  17  Given  confinement  groups  A  and  R  with  VM)  A  V(-#)>  then 

PROOF  Follows  from  the  definition  A  0  R  =  {a  V  R|a  E  A  A  6  E  B}  □ 
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Lemma  18  Given  entities  E  and  F,  and  a  secure  transition  sequence  then 

EZ>  F  6  $„.£•  <  / 

PROOF  We  will  use  induction  on  the  length  of 

•  If  n  =  0,  then  since  $o  is  secure  we  have, 

E^>  F  O  E  t>  F 

=>  v/  e  «„.£•  ±jo.e  <  / 

and  thus  the  trivial  case  holds. 

•  (inductive  step)  Assume  that  it  holds  for  n.  Now  consider  En+i  •  We  have  by  definition, 

E  1  F  =>  3G  e  ENTS  •  £  >  G  AG  F 

The  inductive  hypothesis  gives, 

E  >  G  =>  Vp  €  sn.S*  ±<0.£  <  9  (52) 

The  definition  of  a  secure  state  gives, 

G  tn>  F  =>  V/  €  sn+1  .£•  ±,n+1  ,£  <  /  (53) 

Since  the  transition  from  sn  to  sn+1  is  secure  we  have  sn+i-(Z  C  sn.G.  Applying  this 
to  equations  (52)  and  (53)  gives 

£n+l 

E  t>  F  =>  v/  €  Sn+l-£»  <  /A  1|0.£  <  lln.G 

^  V/  6  Sn+l-£*  —  / 

Thus,  by  induction  the  lemma  holds.  □ 

Theorem  2  The  state  model  SMM  is  a  refinement  of  the  abstract  GCFM,  i.e.,  for  every 
secure  transition  sequence  E„,  then 

V£ , T  C  ENTS  •  E  >  T  =►  s0-£® 

If  this  holds,  then  any  system  that  is  secure  by  SMM  (every  £„  is  secure1*  will  be  secure  by 
GCFM. 

PROOF  We  have  for  £,  T  C  ENTS 

£Z>  F=>VEe£,F£F*EL>  F 
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Applying  the  previous  lemma  (18)  gives, 


V£  €  S,F  £  £•  V/  6  sn£.  <  / 

=*  <  / 

Since  the  transitions  from  state  so  to  state  sn  are  secure  then  sn.£  C  so.£,  and  thus 

£*>?=>  V£€^*  3/ €«>.£•  J-o.fi,  <  / 

=>  VF  €  T  •  so-£®  £ 

since  the  confinement  groups  are  restricted,  lemma  15  can  be  called  on  to  give 

£n 

S  >  T  =>  sq.F® 

Lemma  19  A  (secure)  transition  from  a  secure  state  s  to  a  secure  state  s'  with  flows 

* 

described  by  t>  is  possible  iff 

V£  €  ENTS*  ©  {s.X \X  >  E}  ~  s.E  (54) 

PROOF  I  (If  a  secure  transition  to  secure  s'  with  flows  >  at  state  s'  exists  then 
equation  54  holds)  At  state  s'  we  have  for  E  €  ENTS, 

VA  €  ENTS  •  X  >  E  =>  Ve  €  s'.£*  ±,-.x  <  e 

=>  ®  {s'.A|A  >  £}  s'.E 

since  the  transition  from  s  to  s'  is  secure  we  have  s' .A  Q  s.  A  for  each  entity  A'  and  thus 

©  {s'.AJA  >  E)  C®  {s.2L\X  t>  E) 


which  implies, 

V£  G  ENTS #  ©  {s.2£|*  >  E)  ~  s.E 

PROOF  II  (if  equation  (54)  holds,  then  there  exists  a  secure  state  s'  with  flows  described 
by  relation  >  ,  and  reached  by  a  secure  transition  from  s)  Define  the  confinement  of  each 
entity  E  at  state  s'  as 

s'.£  =  {s.2L\X  t>  E)  n  s.E 

t 

and  the  flows  at  state  s'  as:  £  t>  F  E  >  F. 
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•  Before  proving  that  s'  and  the  transition  is  secure  we  will  prove  that  the  confinement 
for  each  entity  is  non-empty.  Consider  the  lowest  bound  on  A  =®  {s.2£|-V  >  E). 
Since  (54)  holds,  we  know  that  there  exists  some  e  €  with  i..*  <  e.  Futhermore, 
since  t>  is  reflexive  we  have  E  >  E  and  thus  ±,.£  <  ±a  for  A  above.  Thus  we  have 

-L i.E  <  Ea  <  e  (55) 

for  -L*.£,e  €  s.E.  This  implies  that  s.E  covers  ±a •  Thus  we  have  ±a€  s.E,  and  also 
±,46  A,  and  therefore  ±a£  a'.£. 

•  That  the  transition  from  s  to  s'  is  secure  follows  since  by  its  defintion  s'  .E_  is  a  subset 
of  s.£. 

•  (state  s'  is  secure)  Firstly,  the  group  confinement  of  each  entity  is  valid  since  we  know 
that  it  is  non-empty,  and  by  lemma  15  since  V(5-20  bolds  then  y(®  {s.X|A'  >  £■}) 
also  holds. 

Now,  suppose  that  there  is  a  flow  E  >  F  at  state  s'.  We  know  by  the  transitivity  of 

* 

t>  that, 

s.F  =  (®  {sJC|X  t>  E }  ®®  {s.yjF  >  B  A  iy  t>  A})ns.F 

=>  V/  €  s'.F •  1  -  <  / 

t>  e } 

From  above  (equation  55)  we  know  that  this  lower  bound  is  also  a  member  of  s'.E_ , 
and  since 

s'.E  =®  {s.X \X  >  E)  n  s.E 

we  have 

E  >  F  =>  V/  6  s'.F •  1*'.£  <  / 

and  state  s'  is  secure. 


□ 


Lemma  20  Given  confinement  groups  A  and  B  such  that  vM)  A  V(-®)»  then 

(A  ®  B)  n  A  =  {a  6  A\  ±b  <  0} 


PROOF  We  have  by  defintion  of  upper  aggregate, 


=>  aeAf\3b€B»b<  a 
=>  a  6  j4A  Lb  <  o 

a  €  j4A  Xb  <  ^  3b€B»a£Ahb<  a 

=>  36e5*a6>lAaV6  =  a 
a>  06(X®B)nA 

□ 

Lemma  21  Given  i4  and  B  such  that  V(^)  A  v(-®)>  then 

B  ^  A  ^  V(M  ®  J9)  flA) 

**  -L(>4©B)nA=-LAV±B 

PROOF  We  will  prove  that  X^VXb  is  a  member  of  (A  ©  B)  fl  A,  and  since  it  forms 
a  lowest  bound  on  ( A  ®  B)  it  will  also  form  a  lowest  bound  on  {A  ®  B)  fl  A  and  thus 
V((4  ®  B)  fl  A)  holds. 

Firstly,  note  that  X^VXb  is  a  member  of  A  ®  B.  We  have, 

B  A  =»  3a  €  A,b  €  B  •  b  <  a 

but  y(i?)  holds,  so  this  simplifies  to 

B  A  =>  3a  6  A •  Xb  S  a 

=>  3a  6  A*  LbVLa  <  a  VLa 
=>  3a  €  A*  LbVLa  <  a 

This  and  the  fact  that  La  <  XbVXa  trivially  holds  gives 

B  A  =>  3a  £  A»  La  <  A  l^Vl^  <  a 

=>■  A  covers  X^VXb 
=>  LAVLB6  A 

Thus  we  have  X,iVXb€  (A  ®  B)  fl  A.  □ 

Lemma  22  The  confinement  of  an  entity  5  at  state  sn+i  reached  by  transition  sequence 
•SSn+i  (i.e,  transition  sequence  En+i  built  up  using  transition  Req ),  can  be  calculated  as, 

*n+i-£  =  {c  €  sn.£|VX  •  X  E  =>Ltn.x  <  e} 
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PROOF  Since  fc>  is  reflexive,  we  have  E  >  E  and  applying  lemma  20  gives, 

Sn+l-E.  =  ©  t>  F}ns„.£ 

=  (©  {Sn-2L\X  E)  ©  -»•£) n «„.£ 

=  {e  €  s„.£|  1  <  e} 

>  E } 

Finally,  applying  lemma  17  to  this  gives 

■Sri+i  -E_  —  {e  G  sn.£|VX  •  X  E  ^-L$n.x_  S  c} 
the  required  result.  □ 


Lemma  23  The  confinement  of  an  entity  E  at  a  state  sn  reached  by  transition  sequence 
can  be  calculated  as, 

s„.E={e£so.E\X  t >  £}  fl  s0.£  (56) 

PROOF  First  note  that  the  application  of  lemmas  20  and  17  can  produce  a  result  similar 
to  lemma  22  by  allowing  us  to  write  the  equation  (56)  as 

sn-E  =  {e  G  so-£|VX  •  X  >  E  =>--L,0.x  <  e)  (57) 

To  prove  that  this  equation  (57)  holds  (and  thus  equation  (56)  holds),  we  will  use  induction 
on  the  length  of  £^. 

•  If  n  =  1,  then 

s\  E  =©  {so.XJX  >  E}  n  sq.E 

follows  from  the  post-condition  for  transition  function  Req. 

•  Assume  that  (57)  holds  for  n  (hypothesis).  Now  consider  a  transition  from  state  sn 
to  state  sn+i-  Since  the  transition  is  made  by  Req,  then 

#n+l 

«n+i  E  =  {e  €  s„.£|VX  •  X  >  E  <  «}  (58) 

Jn-fl 

Consider  each  X  in  this  equation  (58),  where  X  >  E.  We  have  by  the  inductive 
hypothesis, 

sn+i.2L  =  {*  e  *>.2£|vy  #  Y  X  =>±t0.r  <  *} 
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and  since  the  original  policy  is  a  lattice, 


Theorem  3  Given  a  transition  sequence  E*,  built  from  transition  function  Req,  then  if 

op 

the  transition  to  a  state  sn+i  with  flows  defined  by  >  is  not  possible  by  the  pre-condition 
on  Req(op,s),  then  the  flows  described  by  En+i  are  not  secure  by  GCFM,  i.e.,  given  state 
sn  reached  by  E*, 

3Ee  ENTS •  ©  { sn.£\X  ,B>  E }  +  sn.E  => 

Enx  j 

C  ENTS  •  £  t»  T  =>  so.£$ 

#n-f  1 

PROOF  To  prove  this  we  must,  given  ©  {sn-X|^  >  E)  sn.E ,  show  that  some 

£,E  C  ENTS  exist  such  that  £  >  T  but  sq.£_^  •/*  So-Z®-  We  will  pick  this  £  and  T  to 
£ 

be  {X\X  E}  and  {E}  respectively. 

Suppose  there  is  an  E  such  that  G  ~f*  sn.E_,  where 

Jn-fl 

G=e{sn.X\X  >  E) 

Applying  lemmas  17  and  24  in  order  gives 

±G  =  V  {±4„.X  \X  t>  E } 

=  v{v{lln.y|  YZZX}\Xtn>E} 

=  V  {±,n.y  \3X  .  y  >  *  A  X  tl  E} 

=  V  {±,n.y  I Y  Zn>  E }  (60) 

4n+]  £ft  £*+J 

Note  that  since  E  nt>'  E,  we  have  {A|A  t>  E)  C  {A-  >  E },  which  implies 


We  have, 


-h,n.£C±G 


G  sn.£  4=>  Ve  €  sn.E  •  ->  -Lg  £  c 


Applying  lemma  23  to  sn.JE  in  this  equation  gives 


G  i*  sn.£_  =>  Ve  6  so-£*  (VX  •  X  t >E=>±l0.x_<  c)  =>  -»  _Lg  <  e 

Ve  €  3o.£»  -L  <  e  =»  -i  ±g  <  e 

®{*o.£|X  >  E) 

Ve  6  sq.E,  •  -<(©JL  <  eA  ±g  £  c) 

{«<,.£!*  >  E) 
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However,  we  have  ± 


=-L*„.£i  and  from  equation  (61),  ±Jn.£  <  J-g-  This  gives 

©<«o.£l*  >  E) 

G  sn  .£  =>  Ve  6  sq.E_  •  -i  ±g  <  c 

Applying  equation  (60)  gives, 


<7^*n.£*>®{«o.Z|y  t>  E}'/»S0.E 

Thus  the  flow  {y|y  >  E)  >  {£}  which  is  not  permitted  by  the  transition  function 
Req  is  not  secure  in  GCFM.  □ 


A.3  Reflexive  Flow  Policies 

Lemma  25  The  bound  order  relation  (definition  9)  is  partially  ordered. 

PROOF  Reflexivity  and  antisymmetry  follows  directly  from  the  fact  that  the  flow  relation 
^  is  reflexive  and  pseduo-antisymmetric. 

By  the  definition  of  bound  order  we  have  for  a,b,c  £  qR 


a  <  b  A  b  <  c  =>  (Vx  ii-wo^i^I)  A  (Vi  *x~»6=>x~»c) 
=>Vx»x~»a=>x~*c 


similarly, 


a<bAb<c=>  Vz  •  c  x  =>  a  x 


combining  equations  (62)  and  (63)  gives 


a<bAb<c=>a<c 


(62) 

(63) 


i.e.,  bound  order  is  transitive.  □ 

Theorem  4  The  symmetric  powerset  lattice  forms  a  lattice,  i.e.,  given  set  S  then  PsS  is 
partially  ordered  and  every  pair  of  components  have  unique  lowest  upper  and  greatest  lower 
bounds. 

PROOF 

•  VsS  is  reflexive.  Follows  from  its  definition. 
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•  VsS  is  antisymmetric.  For  A,B  €  VsS ,  we  have  by  definition, 

A  <  B  =►  BlCAl 
B  <  A  =►  AlCBl 

which  implies  AL  =  BL.  We  can  similarly  show  that  AH  —  BH ,  and  thus  A  =  B. 

•  VsS  is  transitive.  For  A,2?,C  6  Ps  we  have  by  definition, 

A  <  B  =>  BlCAl 
B  <  C  =>  ClCBl 

which  implies  CL  C  AL.  We  can  similarly  show  that  CH  D  AH ,  and  thus  A  <  C. 

•  V  is  the  lowest  upper  bound  operator  for  Vs  S.  Since  intersection  gives  greatest  lower 
bound  and  union  lowest  upper  bound  on  a  powerset  lattice,  then  for  A,B  €  Vs  S, 

( Al  2  Al  H  Bi)  A  (Ah  C  Ah  U  Bh ) 

i.e.,  A  <  Av  B.  Similarly,  B  <  AVB.  Furthermore,  for  all  C  £  Vs  S  we  have, 
(Al  D  Cl  A  Bl  2  Cz )  A  (Ah  C  Ch  A  C  CH ) 

which  implies 

(Al  0  Bl  2  Cz)  A  U  C  CH) 

i.e,  AVB  gives  the  lowest  upper  bound. 

•  A  is  the  greatest  lower  bound  operator.  Follows  from  the  symmetry  between  its 
definiton  and  the  definition  of  the  lowest  upper  bound  operator. 

□ 

Lemma  26  The  Symmetric  powerset  lattice  is  distributive,  i.e,  for  A,  B,C  €  Vs  S  for  some 
set  5,  then 

A  V  (B  A  C)  =  (A  V  B)  A  (A  A  C) 

PROOF  Since  a  powerset  lattice  is  distributive,  then  from  the  defintion  of  a  symmetric 
powerset  lattice, 

AV(BAC)  =  A  V  (Bl  U  Ci,  Ah  n  CH) 

=  (Al  D  (Bl  U  Ci),  Ah  U  (Bh  f>  Ch)) 

=  ((At  0  Bl)  U  (Al  fl  Cl),  (Ah  U  Bh)  ("I  (Ah  U  Ch)) 

=  (AVB)  A  (A  AC) 
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and  we  can  simlarly  show  that 

A  A  (B  V  C)  =  (A  A  B)  V  (A  A  C) 

also  holds.  □ 

Theorem  5  The  mapping  f’s  from  an  arbitrary  quoset  Q  to  symmetric  powerset  lattice 
Vs  a Q  preserves  the  orderings  of  Q,  i.e., 

Q  Vs  qQ 

Va,  b  E  aQ  •  a  <  b  &  fs  (a)  <  fs  (b) 

PROOF  I  For  a,  b  €  aQ  we  have, 

fs(a)  <  fs(b)  =>  {v\v  <  a}C{y\y  <  6} 

=>  Vj/«y<a=>y<6 
=>  a  <  a  =>  a  <  6 

PROOF  II  Given  a,  6  €  aQ,  we  have  (/^  (/>))/.  =  {y|6  <  y}  and  (/^  (&))«  =  {y|y  <  b}. 
If  a  <  b  then  a  E  (Fs(^>))h  and  by  transitivity  x  <  a  =>  x  E  {f>s  (i>))w,  which  implies 
that 

{y\y  <  a)  C  {yjy  <  6} 

and  similarly  we  have  that 

a  <  b=>  {y|a  <  y}  D  {y|y  <  b) 

and  thus  a  <  b  ^  f’s  (a)  <  f’s  (b)  □ 


Lemma  27  Given  the  mapping  from  a  quoset  to  a  powerset  lattice  then  if  collections  of 
classes  are  disjoint  from  one  another  in  Q  then  so  is  their  lowest  upper  bound  in  VaQ,  i.e., 


VA,B  E  aQ  •  A  J  B  =>  (U{/P(a)|a  €  A})  J  (U{f(b)\b  E  B)) 

PROOF  If  A  J  B,  then  for  all  a  E  A  there  is  no  6  €  B  such  that  b  <  a.  Thus,  since 
Fia)  =  {y|y  <  a}  then 

b  E  B  =>  -*b  E  U{/”(a)|a€  A) 

Similarly  we  have, 

a  E  A  s>  -ia  G  U {f  (6)|6  6  B} 
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Reflexivity  of  Q  gives  us 

beB=>beu{f  (6)16  6  5}  a  £  A  =>  a  E  U{/>  (a)|a  €  A) 

Combining  this  with  the  two  previous  equations  imply  that  if  A  J  B  then  there  are  com¬ 
ponents  of  {/p(a)|a  6  A)  that  are  not  in  (6)j6  €  2?},  and  vice  versa.  Thus  the  lowest 
upper  bounds  are  disjoint.  □ 

Lemma  28  Given  the  mapping  fr>s  from  a  quoset  to  symmetric  powerset  lattice  then  if 
collections  of  classes  are  disjoint  from  one  another  in  Q  then  so  are  their  lowest  upper  and 
greatest  lower  bounds  in  VsaQ,  i.e., 

VA,B  CaQ»A\B  =>  (V  if*  (a)|a  €  A})  J  (V  {f>s  (6)|6  €  5})  A 

(A{r*(a)|a€A})  \  (A  {f*(b)\beB}) 

PROOF  We  have, 

v  {/^  (<*)|a  G  A)  =  ({yjVa  €  4  •  a  <  y),  {y|3a  €  A  •  y  <  a}) 
and  from  lemma  27  we  know  that  if  A  J  B,  then 

(v  {fs  (a)l  a  G  A})„  \  (V  {fs  (b)\b  6  B})„ 
and  it  follows  from  the  ordering  relation  over  Vs  aQ  that 

A  l  B*{v{fs(a)\aeA})  J  (V  {/*(6)|6  6  *}) 

Similarly,  if  A  J  B  we  have 

(A  {/*(«)!«  €4})i.  I  (A{fs(b)\b£B})L 

which  implies  that 

A  l  B=>  (A  {fs(a)\ae  A})  J  (A  {/*(&)!&€  2?}) 


□ 

Lemma  20  The  mapping  from  reflexive  policy  R  to  a  group  policy  Rq  built  from  a 
powerset  lattice  preserves  the  flows  in  R,  i.e., 

Va,6  €  aR  •  a  &  b  o  f  (a)  &  f  (6) 
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PROOF  I  We  have  by  definition,  that  for  a,  6  6  aR , 

r(a)%f(b)*3Xer(a),Yer(b)*XCY 

but  since  f(a)  forms  an  interval,  then  X  6  (a)  implies  F  (a)  C  X  C  hv(a).  Thus, 

f(a)%tf(b)  =>  3^6/p(Q),ye/’(i).r(fl)ucyap(4) 

=>  r(fl)c/ip(6) 

and  since,  a  <  a  holds,  we  have  a  £.  F  (a)  and  from  above,  a  €  (6).  By  the  definition  of 

A? ,  a  €  hv  (A)  implies  a  6. 

PROOF  II  The  definition  of  bound  order  gives, 

Vy  •  y  <  a  =>  Vx  •  a  <  x  =>  y  <  x 

Pick  x  =  6  in  this  equation,  and  if  a  b  holds,  then 

Vy  •  y  <  a  =>  a  6  =>•  y  6 
=>  {y|y  <  a}  c  {y  •  |y~»  6} 

=s>  F  (a)  C  A”  (6) 

□ 

Lemma  30  The  mapping  /Ps«  (definition  16)  from  R  to  the  group  policy  Rq  built  from  a 
symmetric  powerset  lattice  preserves  the  flows  in  R,  i.e., 

Va,6  €  aR  •  a&  b  fVso(a )  fVsG(b) 

PROOF  I  We  first  note  a  property  of  the  function  fvsc  that  it  maps  each  element  of  aR 
onto  and  interval  of  Vs  aR,  i.e, 

Vx  €  aR  •  Fs  (x)  <  ffs  (x)  (64) 

This  follows  by  applying  the  fact  that  if  a  <  6  holds  in  R  then  a  b  holds,  to  the 
definition  of  Fs  and  hVs . 

Now  applying  this  law  to  defined  over  Vs  aR  we  get  for  a,  6  €  aR, 

fVse(a)  £  fv*G(b)  o  3X  €  fVse(a),Y  €  f*SGb)  •X  <Y 
O  f’s(a)  <  hvs{b) 


Unfolding  Fs  and  hvs  used  above  gives  us, 


fVs°(a)£  fVso(b)  =>  {y\a  ~  y}  2  {y\b  <  y} 
=>  Vy  •  6  <  y  =$>  a  y 
=>  6  <  6  =>  a  -\>  6 

=>  a  *v*  6 


PROOF  II  The  definition  of  bound  order  gives, 

Vy  •  (6  <  y  =>  Vi  •  x  6  =>  i  y)  (65) 

Pick  i  in  equation  (65)  above  such  that  i  =  a,  and  assume  that  a  b.  This  gives, 

Vy  •  6  <  y=>a~*6=>a~*y 

=>  {y!&  <  y}Q{y|a~*y}  (66) 

Similarly,  we  can  prove  using  the  fact  that 

Vy  •  y  <  a=>Vi«a~»i=>y~*i 


and  a  6  implies 


Combining  (66)  and  (67)  gives 


{y|y  <  a}  C  {yjy  6} 


(67) 


a -v*  6  =>  I”5  (a)  <  }fs  (6) 

=>  fVse{a)^  fVs°(b) 


the  desired  result.  □ 

B  Transforming  a  Reflexive  Policy  to  a  Symmetric  Power- 
set 

The  section  4.2  considered  how  a  reflexive  policy  could  be  transformed  into  a  powerset 
lattice  and  appropriate  group  confinements  to  be  enforced  by  the  GCFM.  This  section 
of  the  appendix  will  show  how  the  transformation  can  be  made  to  a  symmetric  powerset 
lattice. 
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Given  a  reflexive  flow  policy  J2,  construct  a  group  confinement  flow  policy  (section  2) 
built  from  the  symmetric  powerset  lattice  of  the  set  of  security  classed  defined  by  R.  The 
alphabet  of  this  lattice  Rq  is, 

aRc  =  {X\ XCVsoR) -{{},{}} 

and  has  a  flow  relation  (defintion  2)  defined  as  (A,  B  £  oRq), 

A&  B  <*3X  £A,Y  £B»X  <  Y 

As  with  a  Rq  built  from  a  powerset  lattice,  this  flow  relation  has  a  bound  order  defined  by 
the  partial  ordering  relation  <  on  Rq.  We  know  from  section  2  that  Rq  does  not  form  a 
lattice,  but  if  we  consider  only  group  confinements  that  form  intervals  on  VsaR,  i.e.,  for 
each  confinement  A  then, 

3l,h  £  A  £  A  •  1  <  rAi  <  h 

Then  the  set  of  all  such  confinements  are  closed  over  ®  and  ®,  and  it  forms  a  sublattice  (an 
interval  lattice[10]  of  Rq  with  ®  as  lowest  upper  and  ®  as  greatest  lower  bound  operators). 
Furthermore,  from  the  above  we  know  that  this  interval  sublattice  forms  a  reflexive  lattice 
with  flow  relation  and  bound  order  <  . 

Definition  16  Define  a  mapping  /^sc  from  arbitrary  reflexive  relation  Rto  this  sublattice 
of  Rq  as 

/fl5  C  :  aR  “ *  qRq  fRe( «)  =  {£5(a),/$(a)} 

where 

£(«)  =  ({6|a  &  6},  {b\b  <  a}) 
hvg(a)  =  {{b\a  <  b},{b\b£  a) 

O 

Each  component  of  R  will  be  mapped  to  an  interval  of  Vs  c*R,  with  bottom  (a)  and  top 
hVs(a).  Thus  fVs$  is  a  mapping  from  R  to  a  reflexive  lattice.  The  mapping  f*s  preserves 
the  flows  of  R,  i.e., 

Vo,  b  €  aR  •  a  b  o  /**(«)&/*«(*) 


Thus  we  can  use  fvsc(a)  in  Rg  for  any  class  a  drawn  from  R  with  no  detrimental  effect  on 
flows. 

In  the  same  way  that  a  group  of  classes  A  C  aR  gets  transformed  to  the  group 
U{/P(a)|a  €  >4}  so  that  it  can  be  modelled  the  GCFM  enforcing  a  powerset  lattice,  it 
can  be  mapped  to  the  group  U{fVsc(a)\a  €  A }  to  be  modelled  in  the  GCFM  enforcing  the 
symmetric  powerset  lattice. 

Example  21  A  private  hospital  information  system  processes  information  of  class  records 
(medical  history);  treatment  (given  to  patients);  accounts  (for  patients);  director  (share¬ 
holder  information);  and  management.  How  information  may  flow  between  these  different 
classes  is  described  by  the  reflexive  relation  in  figure  9.  Note  how  treatment  information  is 

records  director 


Figure  9:  Flow  policy  HOSPITAL 


X 

/%C(x) 

records 

{({r}i{tr}),({r),{tmr})} 

director 

{({d},{da}),({d},{dma})} 

management 

{({mrd},{m)),({m},{tma})} 

treatment 

{({tmr},(t},{tr},{t})} 

accounts 

{({amd}, {a}), ({ad}, {a})} 

Table  6:  Mapping  from  R  -  HOSPITAL  to  Rq 


allowed  flow  to  records  or  management,  but  for  confidentiality  reasons,  cannot  flow  to  class 
director.  Similarly,  accounts  information  is  not  allowed  flow  to  records  (for  profitability 
reasons).  Management  is  allowed  coordinate  all  this  information  give^  these  constraints. 
This  reflexive  relation  can  be  transformed  into  the  reflexive  lattice  Rg  using  the  mapping 
described  in  table  6.  Observe  from  this  table  that  if  information  of  class  treatment  and 


81 


accounts  are  combined  then  their  lowest  upper  bound  in  Rq  is  not  /^(management), 
but  {({m},  {ta}),  ({},  {at})},  which  may  flow  to  class  management,  but  not  to  records  nor 
director. 

A  consultant  in  this  hospital  might  be  allowed  sink  and/or  source  information  of  class 
treatment  and  records,  and  thus  is  confined  to  the  group  {treatment,  records}.  In  the 
GCFM  this  corresponds  to  a  binding 

fVse (treatment)  U  /**« (records)  =  {({tmr},  {t}),  ({tr},  {t}),  ({r},  {tr}), ({r},  {tmr})} 

=  {({t»r}.{t})»({r},{tmr})} 

The  hospital  administrator  might  be  bound  to  {management}.  Note  how  the  consultant 
and  administrator  are  bound  to  groups  of  ‘classes’  from  the  (symmetric  powerset)  lattice 
Vs  qHOSPITAL  which  is  enforced  by  GCFM.  These  classes  can  be  thought  of  as  representing 
the  sources/sinks  that  they  are  permitted  to  make.  For  example,  class  ({mrd},{m})  means 
that  the  administrator  can  source  accounting  and  record  information  (the  {mrd}  part),  but 
in  this  case  cannot  sink  accounts  or  treatment  information  (the  {m}  part);  the  administra¬ 
tor  may  also  sink  accounts  and  treatment  information  since  ({m},{tma})  is  in  his  group 
confinement,  but  in  this  case  cannot  source  records  or  director  information  (ensures  non- 
transitivity).  Note  how  class  management  does  not  include  element  ({tm},{md}),  ensuring 
that  information  does  not  flow  from  treatment  to  directors. 

This  range  of  possible  classes  representing  management  works  neatly  within  the  mac 
model  described  earlier.  An  administrator  starts  our  with  the  potential  to  access  everything. 
However  as  he  makes  accesses,  certain  classes  will  be  removed  from  his  group  confinement 
to  ensure  that  he  cannot  violate  the  flow  policy.  For  example,  if  the  administrator  chooses 
to  read  treatment  information,  he  may  no  longer  forward  information  to  directors  (but  may 
still  forward  to  records).  We  shall  see  further  examples  of  these  kinds  of  aggregate  policies 
in  the  next  section.  A 

Thus,  an  arbitrary  reflexive  flow  policy  can  be  transformed  and  enforced  by  the  GCFM. 

If  the  policy  is  transitive,  then  each  component  a  of  the  policy  qR  will  map  to  a  singleton 
set  {/^efa)}  in  Rq ,  since  ^(a)  =  (a).  If  the  policy  is  not  transitive,  then  certain 

components  of  aR  will  map  to  a  group  of  classes  from  Vsa R  (in  fact  an  interval,  since 
Fs(a)  <  kv*  (a)). 

Example  22  Consider  a  market  analysis  database  that  contains  information  about  banks 
Bank-x  and  Bank-y,  and  oil  companies  Oil-z  and  Oil-w.  There  are  two  conflict  of  interest 
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3 

m 

bank-x 

bank-y 

oil-z 

oil-w 

{({xzy},{x}),({x},{xzw})} 

{({yz»My})({yMyz»})} 

{({zyz}»{z})»({z}.{zyz})} 

{({*y»M»})>({wM*y»})} 

Table  7:  Mapping  for  BANKS  U  OIL 


classes  BANKS  and  OIL.  Within  conflict  class  BANKS  there  are  two  kinds  of  information 
(datasets)  bank-x  and  b&nk-y,  corresponding  to  the  class  of  information  held  by  Bank-x 
and  Bank-y  respectively.  The  Chinese  wall  policy  insists  that  these  classes  are  disjoint,  i.e., 
information  about  one  bank  is  not  allowed  flow  to  another  bank.  Thus  the  conflict  of  interest 
class  BANKS  can  be  thought  of  as  describing  a  flow  policy  with  alphabet  {bank-x,  bank-y} 
and  relations  bank-x  bank-x,  bank-y  bank-y.  Conflict  policy  OIL  has  a  similar 
definition,  with  alphabet  {oil-z,oil-w}  and  classes  oil-z  and  oil-w  disjoint. 

Now  we  must  define  how  these  two  policies  can  be  composed.  Flows  are  possible  between 
the  components  of  the  conflict  policies  so  long  as  they  do  not  violate  the  relations  within 
them.  Therefore,  the  overall  flow  policy  can  be  described  by  the  join[lO]  of  BANKS  and  OIL. 
Policy  join  (  U  of  policies  Cl  and  C2  has  alphabet  (a  Cl  U  aC2)  and  its  flow  relation  is 
defined  as  (a, b£  a(Cl  U  C2)), 

a  — >  b  =  (a,  b  £  a  Cl  a  b)  A 

(a,  b  £  aC2  =>  a  b) 

Table  7  gives  the  mapping  of  this  policy  to  the  group  lattice  built  from  the  symmetric 
powerset  lattice  Vs  {x.y  ,z,w},  where  bank-x  is  abbreviated  to  x,  and  similarly  for  the 
other  classes.  However,  on  a  closer  inspection  of  policy  BANKS  U  OIL  we  discover  that  it  is 
too  general  for  our  purposes  here:  it  (correctly  by  its  definition)  permits  flows  from  bank-x 
to  oil-z  and  from  bank-y  to  oil-z  and  also  from  bank-x  ®  bank-y  to  oil-z,  which  is  not 
desirable.  Thus,  we  need  to  supplement  the  definition  of  join  with  a  definition  of  how  the 
aggregates  of  classes  may  flow  in  the  joined  policy.  In  the  case  of  oil-z  we  wish  to  prevent 
it  from  sourcing/sinking  aggregate  bank-x  ©  bank-y.  Therefore  given  that, 

/(bank-x)  ©  /(bank-y)  =  {({zw},  {xy}),({},{xyzs})} 
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define  a  class  oil-z’  as8, 

oil-z’  =  /(oil-z)  -  (/(bank-x)  © /(bank-y)) 

=  {({*yz}»  {*}),  ({*}»  {«»>  ({z},  {yz})} 

r  Note  how  ({z},  {xyz})  is  no  longer  a  member  of  oil-z’.  The  other  classes  can  be  similarly 

redefined  so  as  to  constrain  flows  of  (conflicting)  aggregates, 

bank-x’  =  /(bank-x)  -  (/(oil-z)  ©  /(oil-v)) 

=  {({**»}>  {*})>({*}.  {*z}),  ({*}>  {*»})} 
bank-y’  =  /(bank-y)  -  (/(oil-z)  © /(oil-»)) 

=  {({yz»}.  {y}).  (M>  {yz}), ({y},  {y»})} 

oil-v’  =  /(oil-w)  -  (/(bank-x)  © /(bank-y)) 

=  {({*yw},M),({w},{xw}),({w},{yw})} 

Now,  under  this  flow  policy  information  is  permitted  to  flow  between  the  classes  of  differ¬ 
ent  conflict  policies.  For  example,  bank-x’  and  bank-y*  may  flow  to  oil-z’,  but  their 
aggregate  bank-x’  ffi  bank-y’  may  not. 

We  could  make  an  additional  restriction  about  information  of  class  oil-z  being  per¬ 
mitted  to  sink  bank-x  or  bank-y  information,  but  not  both,  i.e.,  remove  bank-x  ®  bank-y. 
This  gives, 

/( oil-z")  =  /(oil-z’ )-  /(bank-x)  ®  /(bank-y) 

=  {({zz},{z}),({yz},{z}),({z},{xz}),({z},{yz})} 

This  is  analagous  to  the  requirement  that  once  a  user  has  written  to  one  banking  file,  he 
cannot  write  to  other  conflicting  banking  files.  In  section  4.2  of  this  report,  the  group 
policy  is  constructed  from  a  normal  powerset  lattice,  and  as  was  illustrated  in  section  4.1.1, 
cannot  effectively  distinguish  between  the  lower  bounds  of  bank-x  and  bank-y  or  bank-x 
and  oil-z.  Therefore,  if  we  wish  to  express  this  kind  of  constraint  on  the  policy  a  symmetric 
powerset  lattice  must  be  used..  Note  however,  that  v(/(°il-z"))  does  not  hold,  and  thus 
such  a  policy  could  not  be  captured  by  the  SMM  system  model.  However,  as  has  already 
been  noted,  this  policy  is  a  class  of  integrity  policy  and  could  be  enforced  as  such. 

*Not«  that  the  set  difference  operator  ia  defined  on  the  largest  group*  in  the  equivalence  classes  of  its 
operands. 
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Any  information  about  Bank-x  stored  in  the  database  will  have  group  confinement 
bank-x*;  information  about  Bank-y  will  have  confinement  bank-y’,  etc.  A  user  of  the 
database  will  be  confined  to  (bank-x*  U  bank-y’  U  oil-z’  U  oil-v*),  allowing  access  to 
every  individual  item  of  company  information  but  not  to  conflicting  aggregates. 

Consider  a  database  with  entries  X,Y,  Z  and  W  confined  as 

2L  =  bank-x  ’  Z.  =  oil-z  ’ 
y  =  bank-y 1  W  =  oil-w* 

and  a  user  E  with  confinement  (bank-x*  U  bank-y*  U  oil-z’  U  oil-w*).  A  system  with 
flows  {A,  Z}  t>  U  is  secure  since 

X®Z  =  {(xz),  {xz}),({},{xyzw})}  E_ 

Note  how  cannot  flow  to  file  Y.  A  system  with  flow  {A”,  Y)  >  U  is  not  secure  since 

2C©£I  =  {({zw},  {xy}),  ({>,  {xyzw})> 

may  not  flow  to  E_  since  there  is  no  component  of  E  that  contains  ({zw},xy).  A 

If  the  reflexive  policy  was  implemented  using  a  powerset  lattice  then  there  is  a  imple¬ 
mentation  for  policy  join  that  is  defined  in  terms  of  the  powerset[9j.  We  need  a  similar 
implementation  for  policy  join  where  the  policy  is  built  using  a  symmetric  powerset  lattice. 
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